[Script Info]
Title: 
[Events]
Format: Layer, Start, End, Style, Name, MarginL, MarginR, MarginV, Effect, Text
Dialogue: 0,0:00:02.00,0:00:03.32,Default,,0000,0000,0000,,Hello everyone.
Dialogue: 0,0:00:04.29,0:00:06.84,Default,,0000,0000,0000,,We are getting started here on
Dialogue: 0,0:00:06.84,0:00:09.88,Default,,0000,0000,0000,,our August lunch and learn session
Dialogue: 0,0:00:09.88,0:00:12.64,Default,,0000,0000,0000,,presented by Kinney Group's Atlas Customer
Dialogue: 0,0:00:12.64,0:00:16.40,Default,,0000,0000,0000,,Experience team. My name is Alice Devaney. I
Dialogue: 0,0:00:16.40,0:00:19.16,Default,,0000,0000,0000,,am the engineering manager for the Atlas
Dialogue: 0,0:00:19.16,0:00:21.96,Default,,0000,0000,0000,,Customer Experience team, and I'm excited
Dialogue: 0,0:00:21.96,0:00:24.80,Default,,0000,0000,0000,,to be presenting this month's session on
Dialogue: 0,0:00:24.80,0:00:28.00,Default,,0000,0000,0000,,intermediate-level Splunk searching. So
Dialogue: 0,0:00:28.00,0:00:30.20,Default,,0000,0000,0000,,thank you all for attending. I hope you
Dialogue: 0,0:00:30.20,0:00:33.00,Default,,0000,0000,0000,,get some good ideas out of this.
Dialogue: 0,0:00:33.00,0:00:35.12,Default,,0000,0000,0000,,I certainly encourage engagement through
Dialogue: 0,0:00:35.12,0:00:37.04,Default,,0000,0000,0000,,the chat, and I'll have some
Dialogue: 0,0:00:37.04,0:00:39.80,Default,,0000,0000,0000,,information at the end on following up
Dialogue: 0,0:00:39.80,0:00:42.24,Default,,0000,0000,0000,,and speaking with my team directly on
Dialogue: 0,0:00:42.24,0:00:45.88,Default,,0000,0000,0000,,any issues or interests that you have
Dialogue: 0,0:00:45.88,0:00:48.00,Default,,0000,0000,0000,,around these types of concepts that
Dialogue: 0,0:00:48.00,0:00:51.52,Default,,0000,0000,0000,,we're going to cover today. So jumping
Dialogue: 0,0:00:51.52,0:00:55.20,Default,,0000,0000,0000,,into an intermediate-level session.
Dialogue: 0,0:00:55.20,0:00:57.96,Default,,0000,0000,0000,,I do want to say that we have previously
Dialogue: 0,0:00:57.96,0:01:02.12,Default,,0000,0000,0000,,done a basic level searching
Dialogue: 0,0:01:02.12,0:01:05.28,Default,,0000,0000,0000,,session so that we are really
Dialogue: 0,0:01:05.28,0:01:07.36,Default,,0000,0000,0000,,progressing from that, picking up right
Dialogue: 0,0:01:07.36,0:01:09.40,Default,,0000,0000,0000,,where we left off. We've done that
Dialogue: 0,0:01:09.40,0:01:10.64,Default,,0000,0000,0000,,session with quite a few of our
Dialogue: 0,0:01:10.64,0:01:12.92,Default,,0000,0000,0000,,customers individually and highly
Dialogue: 0,0:01:12.92,0:01:14.64,Default,,0000,0000,0000,,recommend if you're interested in doing
Dialogue: 0,0:01:14.64,0:01:18.20,Default,,0000,0000,0000,,that or this session with a larger team,
Dialogue: 0,0:01:18.20,0:01:19.92,Default,,0000,0000,0000,,we're happy to discuss and
Dialogue: 0,0:01:19.92,0:01:22.84,Default,,0000,0000,0000,,coordinate that. So getting started,
Dialogue: 0,0:01:22.84,0:01:25.60,Default,,0000,0000,0000,,we're going to take a look at the final
Dialogue: 0,0:01:25.60,0:01:29.00,Default,,0000,0000,0000,,search from our basic search session.
Dialogue: 0,0:01:29.00,0:01:31.16,Default,,0000,0000,0000,,And we're going to walk through that,
Dialogue: 0,0:01:31.16,0:01:34.16,Default,,0000,0000,0000,,understand some of the concepts, and
Dialogue: 0,0:01:34.16,0:01:36.48,Default,,0000,0000,0000,,then we're going to take a step back,
Dialogue: 0,0:01:36.48,0:01:39.48,Default,,0000,0000,0000,,look a little more generally at SPL
Dialogue: 0,0:01:39.48,0:01:41.76,Default,,0000,0000,0000,,operations and understanding how
Dialogue: 0,0:01:41.76,0:01:46.20,Default,,0000,0000,0000,,different commands apply to data, and
Dialogue: 0,0:01:46.20,0:01:49.32,Default,,0000,0000,0000,,really that next level of understanding
Dialogue: 0,0:01:49.32,0:01:51.76,Default,,0000,0000,0000,,for how you can write more complex
Dialogue: 0,0:01:51.76,0:01:54.12,Default,,0000,0000,0000,,searches and understand really when
Dialogue: 0,0:01:54.12,0:01:57.12,Default,,0000,0000,0000,,to use certain types of commands. And
Dialogue: 0,0:01:57.12,0:01:59.56,Default,,0000,0000,0000,,of course, in the session we're going
Dialogue: 0,0:01:59.56,0:02:04.40,Default,,0000,0000,0000,,to have a series of demos using
Dialogue: 0,0:02:04.40,0:02:07.36,Default,,0000,0000,0000,,a few specific commands, highlighting the
Dialogue: 0,0:02:07.36,0:02:10.44,Default,,0000,0000,0000,,different SPL command types that we
Dialogue: 0,0:02:10.44,0:02:12.84,Default,,0000,0000,0000,,discuss in the second portion and get
Dialogue: 0,0:02:12.84,0:02:15.88,Default,,0000,0000,0000,,to see that on the tutorial data that
Dialogue: 0,0:02:15.88,0:02:18.16,Default,,0000,0000,0000,,you can also use in your environment,
Dialogue: 0,0:02:18.16,0:02:20.84,Default,,0000,0000,0000,,in a test environment very
Dialogue: 0,0:02:20.84,0:02:24.20,Default,,0000,0000,0000,,simply. So I will always encourage
Dialogue: 0,0:02:24.20,0:02:27.72,Default,,0000,0000,0000,,especially with search content that you
Dialogue: 0,0:02:27.72,0:02:30.32,Default,,0000,0000,0000,,look into the additional resource that I
Dialogue: 0,0:02:30.32,0:02:34.12,Default,,0000,0000,0000,,have listed here. The search reference
Dialogue: 0,0:02:34.12,0:02:36.44,Default,,0000,0000,0000,,documentation is one of my favorite
Dialogue: 0,0:02:36.44,0:02:38.76,Default,,0000,0000,0000,,bookmarks that I use frequently in my
Dialogue: 0,0:02:38.76,0:02:41.00,Default,,0000,0000,0000,,own environments and working in customer
Dialogue: 0,0:02:41.00,0:02:43.56,Default,,0000,0000,0000,,environments. It is really the
Dialogue: 0,0:02:43.56,0:02:46.00,Default,,0000,0000,0000,,best quick resource to get information
Dialogue: 0,0:02:46.00,0:02:49.56,Default,,0000,0000,0000,,on syntax and examples of any search
Dialogue: 0,0:02:49.56,0:02:51.76,Default,,0000,0000,0000,,command and is always a great
Dialogue: 0,0:02:51.76,0:02:55.00,Default,,0000,0000,0000,,resource to have. The search manual is a
Dialogue: 0,0:02:55.00,0:02:57.08,Default,,0000,0000,0000,,little bit more conceptual, but as you're
Dialogue: 0,0:02:57.08,0:02:59.12,Default,,0000,0000,0000,,learning more about different types of
Dialogue: 0,0:02:59.12,0:03:00.36,Default,,0000,0000,0000,,search operations,
Dialogue: 0,0:03:00.36,0:03:02.44,Default,,0000,0000,0000,,it's very helpful to be able to review
Dialogue: 0,0:03:02.44,0:03:03.50,Default,,0000,0000,0000,,this documentation
Dialogue: 0,0:03:03.50,0:03:05.56,Default,,0000,0000,0000,,and have reference
Dialogue: 0,0:03:05.56,0:03:08.68,Default,,0000,0000,0000,,material that you can come back to as
Dialogue: 0,0:03:08.68,0:03:11.08,Default,,0000,0000,0000,,you are studying and trying to get
Dialogue: 0,0:03:11.08,0:03:13.48,Default,,0000,0000,0000,,better and writing more complex
Dialogue: 0,0:03:13.48,0:03:16.88,Default,,0000,0000,0000,,search content. I have also linked here
Dialogue: 0,0:03:16.88,0:03:18.96,Default,,0000,0000,0000,,the documentation on how to use the
Dialogue: 0,0:03:18.96,0:03:21.80,Default,,0000,0000,0000,,Splunk tutorial data, so if you've not
Dialogue: 0,0:03:21.80,0:03:23.36,Default,,0000,0000,0000,,done that before, it's a very simple
Dialogue: 0,0:03:23.36,0:03:25.92,Default,,0000,0000,0000,,process, and there are consistently
Dialogue: 0,0:03:25.92,0:03:28.28,Default,,0000,0000,0000,,updated download files that Splunk
Dialogue: 0,0:03:28.28,0:03:30.68,Default,,0000,0000,0000,,provides that you're able to directly
Dialogue: 0,0:03:30.68,0:03:33.44,Default,,0000,0000,0000,,upload into any Splunk environment. So
Dialogue: 0,0:03:33.44,0:03:35.56,Default,,0000,0000,0000,,that's what I'm going to be using today,
Dialogue: 0,0:03:35.56,0:03:39.00,Default,,0000,0000,0000,,and given that you are searching over
Dialogue: 0,0:03:39.00,0:03:41.40,Default,,0000,0000,0000,,appropriate time windows for when you
Dialogue: 0,0:03:41.40,0:03:43.92,Default,,0000,0000,0000,,download the tutorial dataset, these
Dialogue: 0,0:03:43.92,0:03:46.52,Default,,0000,0000,0000,,searches will work on the tutorial
Dialogue: 0,0:03:46.52,0:03:48.76,Default,,0000,0000,0000,,data as well. So highly encourage, after
Dialogue: 0,0:03:48.76,0:03:50.88,Default,,0000,0000,0000,,the fact, if you want to go through
Dialogue: 0,0:03:50.88,0:03:53.76,Default,,0000,0000,0000,,and test out some of the content,
Dialogue: 0,0:03:53.76,0:03:56.92,Default,,0000,0000,0000,,you'll be able to access a recording as
Dialogue: 0,0:03:56.92,0:03:59.36,Default,,0000,0000,0000,,well as if you'd like the slides that
Dialogue: 0,0:03:59.36,0:04:00.96,Default,,0000,0000,0000,,I'm presenting off of today, which I
Dialogue: 0,0:04:00.96,0:04:02.28,Default,,0000,0000,0000,,highly encourage because there are a lot
Dialogue: 0,0:04:02.28,0:04:04.80,Default,,0000,0000,0000,,of useful links in here, reach out to
Dialogue: 0,0:04:04.80,0:04:06.76,Default,,0000,0000,0000,,my team. Again, right at the end of the
Dialogue: 0,0:04:06.76,0:04:08.60,Default,,0000,0000,0000,,slides we'll have that info.
Dialogue: 0,0:04:08.60,0:04:13.08,Default,,0000,0000,0000,,So looking at our overview of basic
Dialogue: 0,0:04:13.08,0:04:15.80,Default,,0000,0000,0000,,search, I just want to cover
Dialogue: 0,0:04:15.80,0:04:18.12,Default,,0000,0000,0000,,conceptually the two categories that
Dialogue: 0,0:04:18.12,0:04:21.64,Default,,0000,0000,0000,,we discuss in that session. And so those
Dialogue: 0,0:04:21.64,0:04:24.20,Default,,0000,0000,0000,,two are the statistical and charting
Dialogue: 0,0:04:24.20,0:04:28.48,Default,,0000,0000,0000,,functions which consist of in those
Dialogue: 0,0:04:28.48,0:04:31.48,Default,,0000,0000,0000,,demos aggregate and time functions. So
Dialogue: 0,0:04:31.48,0:04:33.92,Default,,0000,0000,0000,,aggregate functions are going to be your
Dialogue: 0,0:04:33.92,0:04:37.40,Default,,0000,0000,0000,,commonly used statistical functions
Dialogue: 0,0:04:37.40,0:04:40.40,Default,,0000,0000,0000,,meant for summarization, and then time
Dialogue: 0,0:04:40.40,0:04:43.20,Default,,0000,0000,0000,,functions actually using the
Dialogue: 0,0:04:43.20,0:04:46.64,Default,,0000,0000,0000,,timestamp field underscore time or any
Dialogue: 0,0:04:46.64,0:04:48.60,Default,,0000,0000,0000,,other time that you've extracted from
Dialogue: 0,0:04:48.60,0:04:51.76,Default,,0000,0000,0000,,data and looking at earliest, latest
Dialogue: 0,0:04:51.76,0:04:55.00,Default,,0000,0000,0000,,relative time values in a
Dialogue: 0,0:04:55.00,0:04:58.24,Default,,0000,0000,0000,,summative fashion. And then evaluation
Dialogue: 0,0:04:58.24,0:05:02.32,Default,,0000,0000,0000,,functions are the separate type where
Dialogue: 0,0:05:02.32,0:05:04.40,Default,,0000,0000,0000,,we discuss comparison and conditional
Dialogue: 0,0:05:04.40,0:05:07.60,Default,,0000,0000,0000,,statements so using your if and your
Dialogue: 0,0:05:07.60,0:05:10.24,Default,,0000,0000,0000,,case commands in
Dialogue: 0,0:05:10.24,0:05:14.12,Default,,0000,0000,0000,,evals. Also datetime functions that
Dialogue: 0,0:05:14.12,0:05:17.16,Default,,0000,0000,0000,,apply operations to events uniquely
Dialogue: 0,0:05:17.16,0:05:19.76,Default,,0000,0000,0000,,so not necessarily summarization, but
Dialogue: 0,0:05:19.76,0:05:22.28,Default,,0000,0000,0000,,interacting with the time values
Dialogue: 0,0:05:22.28,0:05:24.32,Default,,0000,0000,0000,,themselves, maybe changing the time
Dialogue: 0,0:05:24.32,0:05:27.00,Default,,0000,0000,0000,,format, and then multivalue evalq
Dialogue: 0,0:05:27.00,0:05:29.36,Default,,0000,0000,0000,,functions, we touch on that very lightly,
Dialogue: 0,0:05:29.36,0:05:31.72,Default,,0000,0000,0000,,and it is more conceptual in basic
Dialogue: 0,0:05:31.72,0:05:34.00,Default,,0000,0000,0000,,search. So today we're going to dive in
Dialogue: 0,0:05:34.00,0:05:36.12,Default,,0000,0000,0000,,as part of our demo and look at
Dialogue: 0,0:05:36.12,0:05:39.16,Default,,0000,0000,0000,,multivalue eval functions later in
Dialogue: 0,0:05:39.16,0:05:41.32,Default,,0000,0000,0000,,the presentation.
Dialogue: 0,0:05:41.48,0:05:44.88,Default,,0000,0000,0000,,So on this slide here I
Dialogue: 0,0:05:44.88,0:05:48.80,Default,,0000,0000,0000,,have highlighted in gray the search
Dialogue: 0,0:05:48.80,0:05:52.12,Default,,0000,0000,0000,,that we end basic search with. And so
Dialogue: 0,0:05:52.12,0:05:55.00,Default,,0000,0000,0000,,that is broken up into three segments
Dialogue: 0,0:05:55.00,0:05:57.48,Default,,0000,0000,0000,,where we have the first line being a
Dialogue: 0,0:05:57.48,0:06:00.24,Default,,0000,0000,0000,,filter to a dataset. This is very
Dialogue: 0,0:06:00.24,0:06:03.12,Default,,0000,0000,0000,,simply how you are sourcing most of your
Dialogue: 0,0:06:03.12,0:06:06.32,Default,,0000,0000,0000,,data in most of your searches in Splunk.
Dialogue: 0,0:06:06.32,0:06:08.00,Default,,0000,0000,0000,,And we always want to be a specific
Dialogue: 0,0:06:08.00,0:06:11.00,Default,,0000,0000,0000,,as possible. You'll most often see the
Dialogue: 0,0:06:11.00,0:06:13.04,Default,,0000,0000,0000,,logical way to do that is by
Dialogue: 0,0:06:13.04,0:06:15.68,Default,,0000,0000,0000,,identifying an index and a source type,
Dialogue: 0,0:06:15.68,0:06:18.12,Default,,0000,0000,0000,,possibly some specific values of given
Dialogue: 0,0:06:18.12,0:06:20.20,Default,,0000,0000,0000,,fields in that data before you start
Dialogue: 0,0:06:20.20,0:06:22.72,Default,,0000,0000,0000,,applying other operations. In our case, we
Dialogue: 0,0:06:22.72,0:06:25.20,Default,,0000,0000,0000,,want to work with a whole dataset,
Dialogue: 0,0:06:25.20,0:06:28.88,Default,,0000,0000,0000,,and then we move into applying our eval
Dialogue: 0,0:06:28.88,0:06:30.12,Default,,0000,0000,0000,,statements.
Dialogue: 0,0:06:30.12,0:06:33.08,Default,,0000,0000,0000,,So in the evals, the purpose of these is
Dialogue: 0,0:06:33.08,0:06:36.56,Default,,0000,0000,0000,,to create some new fields to work with,
Dialogue: 0,0:06:36.56,0:06:40.08,Default,,0000,0000,0000,,and so we have two operations here.
Dialogue: 0,0:06:40.08,0:06:42.44,Default,,0000,0000,0000,,And you can see that on the first line,
Dialogue: 0,0:06:42.44,0:06:46.12,Default,,0000,0000,0000,,we're starting with an error check field.
Dialogue: 0,0:06:46.12,0:06:49.16,Default,,0000,0000,0000,,These are web access logs, so we're
Dialogue: 0,0:06:49.16,0:06:52.72,Default,,0000,0000,0000,,looking at the HTTP status codes as the
Dialogue: 0,0:06:52.72,0:06:56.04,Default,,0000,0000,0000,,status field, and we have a logical
Dialogue: 0,0:06:56.04,0:06:57.60,Default,,0000,0000,0000,,condition here for greater than or equal
Dialogue: 0,0:06:57.60,0:07:00.68,Default,,0000,0000,0000,,to 400, we want to return errors. And so
Dialogue: 0,0:07:00.68,0:07:04.12,Default,,0000,0000,0000,,very simple example, making it as easy
Dialogue: 0,0:07:04.12,0:07:05.88,Default,,0000,0000,0000,,as possible. If you want to get specifics
Dialogue: 0,0:07:05.88,0:07:08.72,Default,,0000,0000,0000,,on your 200s and your 300s, it's the
Dialogue: 0,0:07:08.72,0:07:11.64,Default,,0000,0000,0000,,exact same type of logic to go and apply
Dialogue: 0,0:07:11.64,0:07:14.12,Default,,0000,0000,0000,,likely a case statement to get some
Dialogue: 0,0:07:14.12,0:07:17.20,Default,,0000,0000,0000,,additional conditions and more unique
Dialogue: 0,0:07:17.20,0:07:20.52,Default,,0000,0000,0000,,output in an error check or some sort of
Dialogue: 0,0:07:20.52,0:07:23.80,Default,,0000,0000,0000,,field indicating what you want to
Dialogue: 0,0:07:23.80,0:07:25.92,Default,,0000,0000,0000,,see out of your status code so this case,
Dialogue: 0,0:07:25.92,0:07:30.08,Default,,0000,0000,0000,,simple errors. Or the value of non error
Dialogue: 0,0:07:30.08,0:07:32.12,Default,,0000,0000,0000,,if we have say a 200.
Dialogue: 0,0:07:32.12,0:07:35.40,Default,,0000,0000,0000,,We're also using a time function to
Dialogue: 0,0:07:35.40,0:07:39.16,Default,,0000,0000,0000,,create a second field called day. You
Dialogue: 0,0:07:39.16,0:07:41.76,Default,,0000,0000,0000,,may be familiar with some of the
Dialogue: 0,0:07:41.76,0:07:46.36,Default,,0000,0000,0000,,fields that you get out of by default
Dialogue: 0,0:07:46.36,0:07:49.76,Default,,0000,0000,0000,,for most any events in Splunk and
Dialogue: 0,0:07:49.76,0:07:51.76,Default,,0000,0000,0000,,that they're related to breakdowns of
Dialogue: 0,0:07:51.76,0:07:56.00,Default,,0000,0000,0000,,the time stamps. You have day, month,
Dialogue: 0,0:07:56.00,0:07:58.24,Default,,0000,0000,0000,,and many others. In this case, I want to
Dialogue: 0,0:07:58.24,0:08:00.56,Default,,0000,0000,0000,,get a specific format for day so we use
Dialogue: 0,0:08:00.56,0:08:03.48,Default,,0000,0000,0000,,a strftime function, and we have a
Dialogue: 0,0:08:03.48,0:08:07.04,Default,,0000,0000,0000,,time format variable here on the actual
Dialogue: 0,0:08:07.04,0:08:10.28,Default,,0000,0000,0000,,extracted time stamp for Splunk. So
Dialogue: 0,0:08:10.28,0:08:12.04,Default,,0000,0000,0000,,coming out of the second line, we've
Dialogue: 0,0:08:12.04,0:08:14.32,Default,,0000,0000,0000,,accessed our data, we have created two
Dialogue: 0,0:08:14.32,0:08:17.48,Default,,0000,0000,0000,,new fields to use, and then we are
Dialogue: 0,0:08:17.48,0:08:20.96,Default,,0000,0000,0000,,actually performing charting with a
Dialogue: 0,0:08:20.96,0:08:23.68,Default,,0000,0000,0000,,statistical function, and so that is
Dialogue: 0,0:08:23.68,0:08:26.24,Default,,0000,0000,0000,,using timechart. And we can see here
Dialogue: 0,0:08:26.24,0:08:29.16,Default,,0000,0000,0000,,that we are counting our events that
Dialogue: 0,0:08:29.16,0:08:33.48,Default,,0000,0000,0000,,actually have the error value for our
Dialogue: 0,0:08:33.48,0:08:36.00,Default,,0000,0000,0000,,created error check field. And so I'm
Dialogue: 0,0:08:36.00,0:08:39.28,Default,,0000,0000,0000,,going to pivot over to Splunk here,
Dialogue: 0,0:08:39.28,0:08:40.88,Default,,0000,0000,0000,,and we're going to look at this search,
Dialogue: 0,0:08:40.88,0:08:43.44,Default,,0000,0000,0000,,and I have commented out most of the
Dialogue: 0,0:08:43.44,0:08:46.28,Default,,0000,0000,0000,,logic, we'll step back through it. We
Dialogue: 0,0:08:46.28,0:08:49.20,Default,,0000,0000,0000,,are looking in our web access log events
Dialogue: 0,0:08:49.20,0:08:52.80,Default,,0000,0000,0000,,here, and we want to then apply our
Dialogue: 0,0:08:52.80,0:08:58.24,Default,,0000,0000,0000,,eval. And so by applying the eval, we can
Dialogue: 0,0:08:58.24,0:09:01.28,Default,,0000,0000,0000,,get our error check field that provides
Dialogue: 0,0:09:01.28,0:09:03.28,Default,,0000,0000,0000,,error or non-error. We're seeing that we
Dialogue: 0,0:09:03.28,0:09:05.16,Default,,0000,0000,0000,,have mostly non-error
Dialogue: 0,0:09:05.16,0:09:09.68,Default,,0000,0000,0000,,events. And then we have the day field,
Dialogue: 0,0:09:09.68,0:09:11.76,Default,,0000,0000,0000,,and so day is actually providing the
Dialogue: 0,0:09:11.76,0:09:14.44,Default,,0000,0000,0000,,full name of day for the time stamp for
Dialogue: 0,0:09:14.44,0:09:17.80,Default,,0000,0000,0000,,all these events. So with our timechart,
Dialogue: 0,0:09:17.80,0:09:22.20,Default,,0000,0000,0000,,this is the summarization with a
Dialogue: 0,0:09:22.20,0:09:24.16,Default,,0000,0000,0000,,condition actually that we're spanning
Dialogue: 0,0:09:24.16,0:09:27.72,Default,,0000,0000,0000,,by default over a single day, so this may
Dialogue: 0,0:09:27.72,0:09:31.84,Default,,0000,0000,0000,,not be a very logical use of a split by
Dialogue: 0,0:09:31.84,0:09:34.91,Default,,0000,0000,0000,,day when we are already using a timechart
Dialogue: 0,0:09:34.91,0:09:37.08,Default,,0000,0000,0000,,command that is dividing our
Dialogue: 0,0:09:37.08,0:09:41.04,Default,,0000,0000,0000,,results by the time bin, effectively a
Dialogue: 0,0:09:41.04,0:09:46.08,Default,,0000,0000,0000,,span of one day. But what we can do is
Dialogue: 0,0:09:46.08,0:09:50.44,Default,,0000,0000,0000,,change our split by field to host and
Dialogue: 0,0:09:50.44,0:09:52.60,Default,,0000,0000,0000,,get a little bit more of a reasonable
Dialogue: 0,0:09:52.60,0:09:54.72,Default,,0000,0000,0000,,presentation. We were able to see with
Dialogue: 0,0:09:54.72,0:09:57.72,Default,,0000,0000,0000,,the counts in the individual days not
Dialogue: 0,0:09:57.72,0:09:59.60,Default,,0000,0000,0000,,only split through the time chart, but by
Dialogue: 0,0:09:59.60,0:10:02.40,Default,,0000,0000,0000,,the day field that we only had values
Dialogue: 0,0:10:02.40,0:10:04.96,Default,,0000,0000,0000,,where our matrix matched up for the
Dialogue: 0,0:10:04.96,0:10:09.68,Default,,0000,0000,0000,,actual day. So here we have our hosts
Dialogue: 0,0:10:09.68,0:10:12.64,Default,,0000,0000,0000,,one, two, and three, and then across days
Dialogue: 0,0:10:12.64,0:10:15.64,Default,,0000,0000,0000,,counts of the error events that we
Dialogue: 0,0:10:15.64,0:10:20.16,Default,,0000,0000,0000,,observe. So that is the search that we
Dialogue: 0,0:10:20.16,0:10:22.44,Default,,0000,0000,0000,,end on in basic search. The concepts
Dialogue: 0,0:10:22.44,0:10:25.04,Default,,0000,0000,0000,,there being accessing our data,
Dialogue: 0,0:10:25.04,0:10:27.28,Default,,0000,0000,0000,,searching in a descriptive manner, using
Dialogue: 0,0:10:27.28,0:10:29.32,Default,,0000,0000,0000,,our metadata fields, the index and the
Dialogue: 0,0:10:29.32,0:10:32.20,Default,,0000,0000,0000,,source type, the evaluation functions
Dialogue: 0,0:10:32.20,0:10:33.92,Default,,0000,0000,0000,,where we're creating new fields,
Dialogue: 0,0:10:33.92,0:10:37.64,Default,,0000,0000,0000,,manipulating data, and then we have a
Dialogue: 0,0:10:37.64,0:10:40.20,Default,,0000,0000,0000,,timechart function that is providing
Dialogue: 0,0:10:40.20,0:10:42.88,Default,,0000,0000,0000,,some summarized statistics here based
Dialogue: 0,0:10:42.88,0:10:44.48,Default,,0000,0000,0000,,on a time range.
Dialogue: 0,0:10:44.48,0:10:48.68,Default,,0000,0000,0000,,So we will pivot back, and we're
Dialogue: 0,0:10:48.68,0:10:51.40,Default,,0000,0000,0000,,going to take a step back out of the SPL
Dialogue: 0,0:10:51.40,0:10:54.20,Default,,0000,0000,0000,,for a second just to talk about these
Dialogue: 0,0:10:54.20,0:10:56.52,Default,,0000,0000,0000,,different kinds of search operations
Dialogue: 0,0:10:56.52,0:10:59.36,Default,,0000,0000,0000,,that we just performed. So you'll hear
Dialogue: 0,0:10:59.36,0:11:03.08,Default,,0000,0000,0000,,these terms if you are really kind of
Dialogue: 0,0:11:03.08,0:11:06.04,Default,,0000,0000,0000,,diving deeper into actual operations of
Dialogue: 0,0:11:06.04,0:11:09.92,Default,,0000,0000,0000,,Splunk searching. And you can get very
Dialogue: 0,0:11:09.92,0:11:12.56,Default,,0000,0000,0000,,detailed regarding the optimization of
Dialogue: 0,0:11:12.56,0:11:16.28,Default,,0000,0000,0000,,searches around these types of
Dialogue: 0,0:11:16.28,0:11:17.68,Default,,0000,0000,0000,,commands and the order in which you
Dialogue: 0,0:11:17.68,0:11:21.40,Default,,0000,0000,0000,,choose to execute SPL. Today I'm going to
Dialogue: 0,0:11:21.40,0:11:24.24,Default,,0000,0000,0000,,focus on how these operations actually
Dialogue: 0,0:11:24.24,0:11:27.24,Default,,0000,0000,0000,,apply to the data and helping you to
Dialogue: 0,0:11:27.24,0:11:29.32,Default,,0000,0000,0000,,make better decisions about what
Dialogue: 0,0:11:29.32,0:11:32.32,Default,,0000,0000,0000,,commands are best for the scenario that
Dialogue: 0,0:11:32.32,0:11:34.24,Default,,0000,0000,0000,,you have or the output that you want to
Dialogue: 0,0:11:34.24,0:11:37.64,Default,,0000,0000,0000,,see. And in future sessions, we will
Dialogue: 0,0:11:37.64,0:11:39.36,Default,,0000,0000,0000,,discuss the actual optimization of
Dialogue: 0,0:11:39.36,0:11:42.08,Default,,0000,0000,0000,,searches through this optimal order
Dialogue: 0,0:11:42.08,0:11:46.44,Default,,0000,0000,0000,,of functions and some other means.
Dialogue: 0,0:11:46.44,0:11:48.20,Default,,0000,0000,0000,,But just a caveat there that we're going
Dialogue: 0,0:11:48.20,0:11:50.44,Default,,0000,0000,0000,,to talk pretty specifically today
Dialogue: 0,0:11:50.44,0:11:52.84,Default,,0000,0000,0000,,just about these individually, how
Dialogue: 0,0:11:52.84,0:11:54.72,Default,,0000,0000,0000,,they work with data, and then how you
Dialogue: 0,0:11:54.72,0:11:56.57,Default,,0000,0000,0000,,see them in combination.
Dialogue: 0,0:11:56.57,0:11:59.84,Default,,0000,0000,0000,,So our types of SPL commands,
Dialogue: 0,0:11:59.84,0:12:03.16,Default,,0000,0000,0000,,the top three in bold we'll focus on in
Dialogue: 0,0:12:03.16,0:12:06.08,Default,,0000,0000,0000,,our examples. The first of which is
Dialogue: 0,0:12:06.08,0:12:08.22,Default,,0000,0000,0000,,streaming operations
Dialogue: 0,0:12:08.22,0:12:10.76,Default,,0000,0000,0000,,which are executed on
Dialogue: 0,0:12:10.76,0:12:13.08,Default,,0000,0000,0000,,individual events as they're returned by a
Dialogue: 0,0:12:13.08,0:12:15.40,Default,,0000,0000,0000,,search. So you can think of this like
Dialogue: 0,0:12:15.40,0:12:16.99,Default,,0000,0000,0000,,your evals
Dialogue: 0,0:12:16.99,0:12:18.88,Default,,0000,0000,0000,,that is going to be doing
Dialogue: 0,0:12:18.88,0:12:21.44,Default,,0000,0000,0000,,something to every single event,
Dialogue: 0,0:12:21.44,0:12:24.28,Default,,0000,0000,0000,,modifying fields when they're available.
Dialogue: 0,0:12:24.28,0:12:28.40,Default,,0000,0000,0000,,We do have generating functions. So
Dialogue: 0,0:12:28.40,0:12:30.80,Default,,0000,0000,0000,,generating function are going to be used
Dialogue: 0,0:12:30.80,0:12:33.84,Default,,0000,0000,0000,,situationally where you're sourcing data
Dialogue: 0,0:12:33.84,0:12:38.08,Default,,0000,0000,0000,,from non-indexed datasets, and so you
Dialogue: 0,0:12:38.08,0:12:40.84,Default,,0000,0000,0000,,would see that from either input
Dialogue: 0,0:12:40.84,0:12:43.76,Default,,0000,0000,0000,,lookup commands or maybe tstats,
Dialogue: 0,0:12:43.76,0:12:46.12,Default,,0000,0000,0000,,pulling information from the tsidx
Dialogue: 0,0:12:46.12,0:12:48.92,Default,,0000,0000,0000,,files, and so generating the
Dialogue: 0,0:12:48.92,0:12:51.08,Default,,0000,0000,0000,,statistical output based on the data
Dialogue: 0,0:12:51.08,0:12:55.04,Default,,0000,0000,0000,,available there. Transforming commands
Dialogue: 0,0:12:55.04,0:12:58.56,Default,,0000,0000,0000,,you will see as often as streaming
Dialogue: 0,0:12:58.56,0:13:00.60,Default,,0000,0000,0000,,commands, generally speaking, and more
Dialogue: 0,0:13:00.60,0:13:02.80,Default,,0000,0000,0000,,often than generating commands where
Dialogue: 0,0:13:02.80,0:13:05.40,Default,,0000,0000,0000,,transforming is intended to order
Dialogue: 0,0:13:05.40,0:13:08.52,Default,,0000,0000,0000,,results into a data table. And I often
Dialogue: 0,0:13:08.52,0:13:11.32,Default,,0000,0000,0000,,think of this much like how we discuss
Dialogue: 0,0:13:11.32,0:13:13.64,Default,,0000,0000,0000,,the statistical functions in basic
Dialogue: 0,0:13:13.64,0:13:17.16,Default,,0000,0000,0000,,search as summarization functions where
Dialogue: 0,0:13:17.16,0:13:19.52,Default,,0000,0000,0000,,you're looking to condense your overall
Dialogue: 0,0:13:19.52,0:13:22.68,Default,,0000,0000,0000,,dataset into really manageable
Dialogue: 0,0:13:22.68,0:13:24.88,Default,,0000,0000,0000,,consumable results. So these
Dialogue: 0,0:13:24.88,0:13:28.32,Default,,0000,0000,0000,,operations that apply that summarization
Dialogue: 0,0:13:28.32,0:13:31.72,Default,,0000,0000,0000,,are transforming. We do have two
Dialogue: 0,0:13:31.72,0:13:35.60,Default,,0000,0000,0000,,additional types of SPL commands, the
Dialogue: 0,0:13:35.60,0:13:39.48,Default,,0000,0000,0000,,first is orchestrating. You can read
Dialogue: 0,0:13:39.48,0:13:41.68,Default,,0000,0000,0000,,about these, I will not discuss in great
Dialogue: 0,0:13:41.68,0:13:45.20,Default,,0000,0000,0000,,detail. They are used to manipulate
Dialogue: 0,0:13:45.20,0:13:48.64,Default,,0000,0000,0000,,how searches are actually processed or
Dialogue: 0,0:13:48.64,0:13:50.80,Default,,0000,0000,0000,,or how commands are processed. And
Dialogue: 0,0:13:50.80,0:13:54.08,Default,,0000,0000,0000,,they don't directly affect the results
Dialogue: 0,0:13:54.08,0:13:56.08,Default,,0000,0000,0000,,in a search, how we think about say
Dialogue: 0,0:13:56.08,0:13:59.84,Default,,0000,0000,0000,,applying a stats or an eval to a data
Dialogue: 0,0:13:59.84,0:14:02.32,Default,,0000,0000,0000,,set. So if you're interested,
Dialogue: 0,0:14:02.32,0:14:04.40,Default,,0000,0000,0000,,definitely check it out. Linked
Dialogue: 0,0:14:04.40,0:14:07.42,Default,,0000,0000,0000,,documentation has details there.
Dialogue: 0,0:14:07.42,0:14:11.12,Default,,0000,0000,0000,,Dataset processing is seen much more often,
Dialogue: 0,0:14:11.12,0:14:15.00,Default,,0000,0000,0000,,and you do have some conditional
Dialogue: 0,0:14:15.00,0:14:18.68,Default,,0000,0000,0000,,scenarios where commands can act as
Dialogue: 0,0:14:18.68,0:14:21.76,Default,,0000,0000,0000,,dataset processing, so the
Dialogue: 0,0:14:21.76,0:14:23.96,Default,,0000,0000,0000,,distinction for dataset processing is
Dialogue: 0,0:14:23.96,0:14:26.36,Default,,0000,0000,0000,,going to be that you are operating in
Dialogue: 0,0:14:26.36,0:14:29.80,Default,,0000,0000,0000,,bulk on a single completed dataset at
Dialogue: 0,0:14:29.80,0:14:32.24,Default,,0000,0000,0000,,one time. So we'll look at an
Dialogue: 0,0:14:32.24,0:14:34.26,Default,,0000,0000,0000,,example of that.
Dialogue: 0,0:14:34.26,0:14:36.60,Default,,0000,0000,0000,,I want to pivot back to our main
Dialogue: 0,0:14:36.60,0:14:38.36,Default,,0000,0000,0000,,three that we're going to be focusing on,
Dialogue: 0,0:14:38.36,0:14:39.84,Default,,0000,0000,0000,,and I have mentioned some of these
Dialogue: 0,0:14:39.84,0:14:43.80,Default,,0000,0000,0000,,examples already. The eval functions
Dialogue: 0,0:14:43.80,0:14:45.88,Default,,0000,0000,0000,,that we've been talking about so far are
Dialogue: 0,0:14:45.88,0:14:47.92,Default,,0000,0000,0000,,perfect examples of our streaming
Dialogue: 0,0:14:47.92,0:14:51.44,Default,,0000,0000,0000,,commands. So where we are creating new
Dialogue: 0,0:14:51.44,0:14:55.60,Default,,0000,0000,0000,,fields for each entry or log event,
Dialogue: 0,0:14:55.60,0:14:59.40,Default,,0000,0000,0000,,where we are modifying values for all of
Dialogue: 0,0:14:59.40,0:15:01.92,Default,,0000,0000,0000,,the results that are available. That
Dialogue: 0,0:15:01.92,0:15:05.28,Default,,0000,0000,0000,,is where we are streaming with the
Dialogue: 0,0:15:05.28,0:15:08.56,Default,,0000,0000,0000,,search functions. Inputlookup is
Dialogue: 0,0:15:08.56,0:15:09.96,Default,,0000,0000,0000,,possibly one of the most common
Dialogue: 0,0:15:09.96,0:15:12.40,Default,,0000,0000,0000,,generating commands that I see
Dialogue: 0,0:15:12.40,0:15:15.20,Default,,0000,0000,0000,,because someone is intending to
Dialogue: 0,0:15:15.20,0:15:18.72,Default,,0000,0000,0000,,source a dataset stored in a CSV file
Dialogue: 0,0:15:18.72,0:15:21.48,Default,,0000,0000,0000,,or a KV store collection, and you're
Dialogue: 0,0:15:21.48,0:15:23.72,Default,,0000,0000,0000,,able to bring that back as a report and
Dialogue: 0,0:15:23.72,0:15:27.72,Default,,0000,0000,0000,,use that logic in your queries.
Dialogue: 0,0:15:27.72,0:15:29.64,Default,,0000,0000,0000,,So that is
Dialogue: 0,0:15:29.64,0:15:33.40,Default,,0000,0000,0000,,not requiring the index data or
Dialogue: 0,0:15:33.40,0:15:35.56,Default,,0000,0000,0000,,any index data to actually return the
Dialogue: 0,0:15:35.56,0:15:38.49,Default,,0000,0000,0000,,results that you want to see.
Dialogue: 0,0:15:38.91,0:15:41.32,Default,,0000,0000,0000,,And we've talked about stats, very
Dialogue: 0,0:15:41.32,0:15:43.60,Default,,0000,0000,0000,,generally speaking, with a lot of
Dialogue: 0,0:15:43.60,0:15:46.44,Default,,0000,0000,0000,,unique functions you can apply there
Dialogue: 0,0:15:46.44,0:15:49.56,Default,,0000,0000,0000,,where this is going to provide a tabular
Dialogue: 0,0:15:49.56,0:15:53.56,Default,,0000,0000,0000,,output. And it is serving that purpose of
Dialogue: 0,0:15:53.56,0:15:54.80,Default,,0000,0000,0000,,summarization, so we're really
Dialogue: 0,0:15:54.80,0:15:57.56,Default,,0000,0000,0000,,reformatting the data into that
Dialogue: 0,0:15:57.56,0:16:00.92,Default,,0000,0000,0000,,tabular report.
Dialogue: 0,0:16:02.00,0:16:06.52,Default,,0000,0000,0000,,So we see in this example search here
Dialogue: 0,0:16:06.52,0:16:09.00,Default,,0000,0000,0000,,that we are often combining these
Dialogue: 0,0:16:09.00,0:16:12.36,Default,,0000,0000,0000,,different types of search operations. So
Dialogue: 0,0:16:12.36,0:16:15.24,Default,,0000,0000,0000,,in this example that we have, I have
Dialogue: 0,0:16:15.24,0:16:19.32,Default,,0000,0000,0000,,data that already exists in a CSV file.
Dialogue: 0,0:16:19.32,0:16:22.84,Default,,0000,0000,0000,,We are applying a streaming command here,
Dialogue: 0,0:16:22.84,0:16:26.00,Default,,0000,0000,0000,,where, evaluating each line to see if
Dialogue: 0,0:16:26.00,0:16:28.40,Default,,0000,0000,0000,,we match a condition, and then returning
Dialogue: 0,0:16:28.40,0:16:29.64,Default,,0000,0000,0000,,the results
Dialogue: 0,0:16:29.64,0:16:32.24,Default,,0000,0000,0000,,based on that evaluation. And then we're
Dialogue: 0,0:16:32.24,0:16:34.20,Default,,0000,0000,0000,,applying a transforming command at the
Dialogue: 0,0:16:34.20,0:16:36.64,Default,,0000,0000,0000,,end which is that stats summarization,
Dialogue: 0,0:16:36.64,0:16:40.48,Default,,0000,0000,0000,,getting the maximum values for the
Dialogue: 0,0:16:40.48,0:16:44.32,Default,,0000,0000,0000,,count of errors and the host that is
Dialogue: 0,0:16:44.32,0:16:47.60,Default,,0000,0000,0000,,associated with that. So let's pivot over
Dialogue: 0,0:16:47.60,0:16:52.08,Default,,0000,0000,0000,,to Splunk and we'll take a look at that example.
Dialogue: 0,0:16:54.16,0:16:56.32,Default,,0000,0000,0000,,So I'm just going to grab my
Dialogue: 0,0:16:56.32,0:16:59.44,Default,,0000,0000,0000,,search here and I precommented out
Dialogue: 0,0:16:59.44,0:17:04.21,Default,,0000,0000,0000,,the specific lines following inputlookup
Dialogue: 0,0:17:04.21,0:17:06.08,Default,,0000,0000,0000,,just to see that this generating
Dialogue: 0,0:17:06.08,0:17:07.80,Default,,0000,0000,0000,,command here is not looking for any
Dialogue: 0,0:17:07.80,0:17:10.16,Default,,0000,0000,0000,,specific index data. We're pulling
Dialogue: 0,0:17:10.16,0:17:13.24,Default,,0000,0000,0000,,directly the results that I have in a
Dialogue: 0,0:17:13.24,0:17:17.72,Default,,0000,0000,0000,,CSV file here into this output, and so
Dialogue: 0,0:17:17.72,0:17:20.52,Default,,0000,0000,0000,,we have a count of errors observed
Dialogue: 0,0:17:20.52,0:17:25.44,Default,,0000,0000,0000,,across multiple hosts. Our where command
Dialogue: 0,0:17:25.44,0:17:28.52,Default,,0000,0000,0000,,you might think is reformatting data
Dialogue: 0,0:17:28.52,0:17:31.00,Default,,0000,0000,0000,,in the sense it is transforming the
Dialogue: 0,0:17:31.00,0:17:34.16,Default,,0000,0000,0000,,results, but the evaluation of a where
Dialogue: 0,0:17:34.16,0:17:37.32,Default,,0000,0000,0000,,function does apply effectively to every
Dialogue: 0,0:17:37.32,0:17:41.76,Default,,0000,0000,0000,,event that is returned. So it is a
Dialogue: 0,0:17:41.76,0:17:43.96,Default,,0000,0000,0000,,streaming command that is going to
Dialogue: 0,0:17:43.96,0:17:46.56,Default,,0000,0000,0000,,filter down our result set based on our
Dialogue: 0,0:17:46.56,0:17:49.12,Default,,0000,0000,0000,,condition that the error count is less
Dialogue: 0,0:17:49.12,0:17:50.92,Default,,0000,0000,0000,,than 200.
Dialogue: 0,0:17:50.92,0:17:54.76,Default,,0000,0000,0000,,So the following line is our
Dialogue: 0,0:17:54.76,0:17:57.32,Default,,0000,0000,0000,,transforming command where we have two
Dialogue: 0,0:17:57.32,0:18:02.24,Default,,0000,0000,0000,,results left 187 for host 3. We want
Dialogue: 0,0:18:02.24,0:18:06.04,Default,,0000,0000,0000,,to see our maximum values here of 187 on
Dialogue: 0,0:18:06.04,0:18:09.96,Default,,0000,0000,0000,,host 3. So our scenario here has really
Dialogue: 0,0:18:09.96,0:18:13.40,Default,,0000,0000,0000,,covered where you may have hosts
Dialogue: 0,0:18:13.40,0:18:15.96,Default,,0000,0000,0000,,that are trending toward a negative
Dialogue: 0,0:18:15.96,0:18:19.28,Default,,0000,0000,0000,,state. You're aware that the second
Dialogue: 0,0:18:19.28,0:18:22.04,Default,,0000,0000,0000,,host had already exceeded its
Dialogue: 0,0:18:22.04,0:18:25.36,Default,,0000,0000,0000,,threshold value for errors, but host 3
Dialogue: 0,0:18:25.36,0:18:27.44,Default,,0000,0000,0000,,also appears to be trending toward this
Dialogue: 0,0:18:27.44,0:18:30.16,Default,,0000,0000,0000,,threshold. So being able to combine
Dialogue: 0,0:18:30.16,0:18:33.00,Default,,0000,0000,0000,,these types of commands, understand
Dialogue: 0,0:18:33.00,0:18:35.24,Default,,0000,0000,0000,,the logical condition that you're
Dialogue: 0,0:18:35.24,0:18:37.68,Default,,0000,0000,0000,,searching for, and then also providing
Dialogue: 0,0:18:37.68,0:18:40.84,Default,,0000,0000,0000,,that consumable output. So combining
Dialogue: 0,0:18:40.84,0:18:44.48,Default,,0000,0000,0000,,all three of our types of commands here.
Dialogue: 0,0:18:46.17,0:18:49.44,Default,,0000,0000,0000,,So I'm going to jump to an SPL
Dialogue: 0,0:18:49.44,0:18:53.16,Default,,0000,0000,0000,,demo, and as I go through these different
Dialogue: 0,0:18:53.16,0:18:55.84,Default,,0000,0000,0000,,commands, I'm going to be referencing
Dialogue: 0,0:18:55.84,0:18:58.36,Default,,0000,0000,0000,,back to the different command types that
Dialogue: 0,0:18:58.36,0:19:00.08,Default,,0000,0000,0000,,we're working with. I'm going to
Dialogue: 0,0:19:00.08,0:19:02.36,Default,,0000,0000,0000,,introduce in a lot of these searches
Dialogue: 0,0:19:02.36,0:19:04.68,Default,,0000,0000,0000,,a lot of small commands that I won't
Dialogue: 0,0:19:04.68,0:19:07.00,Default,,0000,0000,0000,,talk about in great detail and that
Dialogue: 0,0:19:07.00,0:19:09.36,Default,,0000,0000,0000,,really is the purpose of using your
Dialogue: 0,0:19:09.36,0:19:11.64,Default,,0000,0000,0000,,search manual, using your search
Dialogue: 0,0:19:11.64,0:19:14.76,Default,,0000,0000,0000,,reference documentation. So I will
Dialogue: 0,0:19:14.76,0:19:17.40,Default,,0000,0000,0000,,glance over the use case, talk about
Dialogue: 0,0:19:17.40,0:19:19.56,Default,,0000,0000,0000,,how it's meant to be applied, and then
Dialogue: 0,0:19:19.56,0:19:22.20,Default,,0000,0000,0000,,using in your own scenarios where you
Dialogue: 0,0:19:22.20,0:19:24.40,Default,,0000,0000,0000,,have problem you need to solve,
Dialogue: 0,0:19:24.40,0:19:26.88,Default,,0000,0000,0000,,referencing the docs to find out where
Dialogue: 0,0:19:26.88,0:19:29.96,Default,,0000,0000,0000,,you can apply similar functions to
Dialogue: 0,0:19:29.96,0:19:32.56,Default,,0000,0000,0000,,what we observe in the the demonstration here.
Dialogue: 0,0:19:32.56,0:19:36.76,Default,,0000,0000,0000,,So the first command I'm going to
Dialogue: 0,0:19:36.76,0:19:40.88,Default,,0000,0000,0000,,focus on is the rex command. So rex is a
Dialogue: 0,0:19:40.88,0:19:43.48,Default,,0000,0000,0000,,streaming command that you often see
Dialogue: 0,0:19:43.48,0:19:46.56,Default,,0000,0000,0000,,applied to datasets that do not fully
Dialogue: 0,0:19:46.56,0:19:49.72,Default,,0000,0000,0000,,have data extracted in the format that
Dialogue: 0,0:19:49.72,0:19:53.16,Default,,0000,0000,0000,,you want to be using in your
Dialogue: 0,0:19:53.16,0:19:56.76,Default,,0000,0000,0000,,reporting or in your logic. And so
Dialogue: 0,0:19:56.76,0:20:00.12,Default,,0000,0000,0000,,this could very well be handled actually
Dialogue: 0,0:20:00.12,0:20:03.44,Default,,0000,0000,0000,,in the configuration of props and
Dialogue: 0,0:20:03.44,0:20:06.08,Default,,0000,0000,0000,,transforms and extracting fields at the
Dialogue: 0,0:20:06.08,0:20:08.48,Default,,0000,0000,0000,,right times and indexing data, but as
Dialogue: 0,0:20:08.48,0:20:10.28,Default,,0000,0000,0000,,your bringing new data sources, you need
Dialogue: 0,0:20:10.28,0:20:12.48,Default,,0000,0000,0000,,to understand what's available for use
Dialogue: 0,0:20:12.48,0:20:14.36,Default,,0000,0000,0000,,in Splunk. A lot of times you'll find
Dialogue: 0,0:20:14.36,0:20:16.84,Default,,0000,0000,0000,,yourself needing to extract new fields
Dialogue: 0,0:20:16.84,0:20:19.20,Default,,0000,0000,0000,,in line in your searches and be able
Dialogue: 0,0:20:19.20,0:20:22.08,Default,,0000,0000,0000,,to use those in your search logic. Rex
Dialogue: 0,0:20:22.08,0:20:28.04,Default,,0000,0000,0000,,also has a sed mode that I also see
Dialogue: 0,0:20:28.04,0:20:31.60,Default,,0000,0000,0000,,testing done for masking of data in line
Dialogue: 0,0:20:31.60,0:20:34.08,Default,,0000,0000,0000,,prior to actually putting that into
Dialogue: 0,0:20:34.08,0:20:36.36,Default,,0000,0000,0000,,indexing configurations.
Dialogue: 0,0:20:36.36,0:20:38.00,Default,,0000,0000,0000,,So rex you would
Dialogue: 0,0:20:38.00,0:20:41.20,Default,,0000,0000,0000,,generally see used when you don't
Dialogue: 0,0:20:41.20,0:20:43.04,Default,,0000,0000,0000,,have those fields available, you need to
Dialogue: 0,0:20:43.04,0:20:45.64,Default,,0000,0000,0000,,use them at that time. And then we're
Dialogue: 0,0:20:45.64,0:20:47.12,Default,,0000,0000,0000,,going to take a look at an example of
Dialogue: 0,0:20:47.12,0:20:49.64,Default,,0000,0000,0000,,masking data as well to test your
Dialogue: 0,0:20:49.64,0:20:53.48,Default,,0000,0000,0000,,syntax for a sed style replace in
Dialogue: 0,0:20:53.48,0:21:00.60,Default,,0000,0000,0000,,config files. So we will jump back over.
Dialogue: 0,0:21:04.68,0:21:06.88,Default,,0000,0000,0000,,So I'm going to start with a search on
Dialogue: 0,0:21:06.88,0:21:10.12,Default,,0000,0000,0000,,an index source type, my tutorial data.
Dialogue: 0,0:21:10.12,0:21:13.16,Default,,0000,0000,0000,,And then this is actual Linux secure
Dialogue: 0,0:21:13.16,0:21:16.16,Default,,0000,0000,0000,,logging so these are going to be OS
Dialogue: 0,0:21:16.16,0:21:19.04,Default,,0000,0000,0000,,security logs, and we're looking at all
Dialogue: 0,0:21:19.04,0:21:21.04,Default,,0000,0000,0000,,of our web hosts that we've been
Dialogue: 0,0:21:21.04,0:21:22.85,Default,,0000,0000,0000,,focusing on previously.
Dialogue: 0,0:21:22.85,0:21:25.00,Default,,0000,0000,0000,,In our events, you can see
Dialogue: 0,0:21:25.00,0:21:29.04,Default,,0000,0000,0000,,that we have first here an event that
Dialogue: 0,0:21:29.04,0:21:31.87,Default,,0000,0000,0000,,has failed password for invalid user inet,
Dialogue: 0,0:21:31.87,0:21:34.32,Default,,0000,0000,0000,,We're provided a source IP, a source
Dialogue: 0,0:21:34.32,0:21:36.56,Default,,0000,0000,0000,,port, and we go to see the fields that
Dialogue: 0,0:21:36.56,0:21:38.92,Default,,0000,0000,0000,,are extracted and that's not
Dialogue: 0,0:21:38.92,0:21:41.92,Default,,0000,0000,0000,,being done for us automatically. So just
Dialogue: 0,0:21:41.92,0:21:43.88,Default,,0000,0000,0000,,to start testing our logic to see if we
Dialogue: 0,0:21:43.88,0:21:46.80,Default,,0000,0000,0000,,can get the results we want to see,
Dialogue: 0,0:21:46.80,0:21:49.76,Default,,0000,0000,0000,,we're going to use the rex command. And
Dialogue: 0,0:21:49.76,0:21:53.24,Default,,0000,0000,0000,,in doing so, we are applying this
Dialogue: 0,0:21:53.24,0:21:55.44,Default,,0000,0000,0000,,operation across every event, again, a
Dialogue: 0,0:21:55.44,0:21:59.60,Default,,0000,0000,0000,,streaming command. We are looking at the
Dialogue: 0,0:21:59.60,0:22:01.28,Default,,0000,0000,0000,,raw field, so we're actually looking at
Dialogue: 0,0:22:01.28,0:22:04.68,Default,,0000,0000,0000,,the raw text of each of these log events.
Dialogue: 0,0:22:04.68,0:22:07.48,Default,,0000,0000,0000,,And then the rex syntax is simply to
Dialogue: 0,0:22:07.48,0:22:11.96,Default,,0000,0000,0000,,provide in double quotes a regex
Dialogue: 0,0:22:11.96,0:22:14.84,Default,,0000,0000,0000,,match, and we're using named groups for
Dialogue: 0,0:22:14.84,0:22:17.44,Default,,0000,0000,0000,,field extractions. So for every single
Dialogue: 0,0:22:17.44,0:22:19.44,Default,,0000,0000,0000,,event that we see failed password for
Dialogue: 0,0:22:19.44,0:22:22.92,Default,,0000,0000,0000,,invalid user, we are actually extracting
Dialogue: 0,0:22:22.92,0:22:26.40,Default,,0000,0000,0000,,a user field, the source IP field, and the
Dialogue: 0,0:22:26.40,0:22:28.80,Default,,0000,0000,0000,,source port field. For the sake of
Dialogue: 0,0:22:28.80,0:22:30.88,Default,,0000,0000,0000,,simplicity, I tried to keep the regex simple.
Dialogue: 0,0:22:30.88,0:22:33.76,Default,,0000,0000,0000,,You can make this as complex as you need
Dialogue: 0,0:22:33.76,0:22:37.68,Default,,0000,0000,0000,,to for your needs, for your data. And
Dialogue: 0,0:22:37.68,0:22:40.96,Default,,0000,0000,0000,,so in our extracted fields, I've
Dialogue: 0,0:22:40.96,0:22:42.84,Default,,0000,0000,0000,,actually pre-selected these so we can
Dialogue: 0,0:22:42.84,0:22:46.24,Default,,0000,0000,0000,,see our user is now available, and this
Dialogue: 0,0:22:46.24,0:22:50.04,Default,,0000,0000,0000,,applies to the events where the regex was
Dialogue: 0,0:22:50.04,0:22:53.16,Default,,0000,0000,0000,,actually valid and matching on the
Dialogue: 0,0:22:53.16,0:22:57.44,Default,,0000,0000,0000,,failed password for invalid user, etc string.
Dialogue: 0,0:22:57.44,0:23:00.12,Default,,0000,0000,0000,,So now that we have our fields
Dialogue: 0,0:23:00.12,0:23:03.80,Default,,0000,0000,0000,,extracted, we can actually use these. And
Dialogue: 0,0:23:03.80,0:23:04.63,Default,,0000,0000,0000,,we want
Dialogue: 0,0:23:04.63,0:23:09.40,Default,,0000,0000,0000,,to do a stats count as failed logins, so
Dialogue: 0,0:23:09.40,0:23:13.40,Default,,0000,0000,0000,,anytime you see an operation as and
Dialogue: 0,0:23:13.40,0:23:16.64,Default,,0000,0000,0000,,then a unique name, just a rename
Dialogue: 0,0:23:16.64,0:23:19.08,Default,,0000,0000,0000,,through the transformation function,
Dialogue: 0,0:23:19.08,0:23:21.48,Default,,0000,0000,0000,,easier way to actually keep
Dialogue: 0,0:23:21.48,0:23:23.48,Default,,0000,0000,0000,,consistency with referencing your
Dialogue: 0,0:23:23.48,0:23:26.76,Default,,0000,0000,0000,,fields as well as not have to rename
Dialogue: 0,0:23:26.76,0:23:29.92,Default,,0000,0000,0000,,later on with some additional- in this
Dialogue: 0,0:23:29.92,0:23:31.68,Default,,0000,0000,0000,,case, you'd have to reference the name
Dialogue: 0,0:23:31.68,0:23:34.52,Default,,0000,0000,0000,,distinct count so just a way to keep
Dialogue: 0,0:23:34.52,0:23:38.32,Default,,0000,0000,0000,,things clean and easy to use in further
Dialogue: 0,0:23:38.32,0:23:42.16,Default,,0000,0000,0000,,lines of SPL. So we are counting our
Dialogue: 0,0:23:42.16,0:23:43.92,Default,,0000,0000,0000,,failed logins, we're looking at the
Dialogue: 0,0:23:43.92,0:23:47.84,Default,,0000,0000,0000,,distinct count of the source IP values
Dialogue: 0,0:23:47.84,0:23:50.00,Default,,0000,0000,0000,,that we have, and then we're splitting
Dialogue: 0,0:23:50.00,0:23:52.96,Default,,0000,0000,0000,,that by the host and the user. So you can
Dialogue: 0,0:23:52.96,0:23:55.72,Default,,0000,0000,0000,,see here, this tutorial data is
Dialogue: 0,0:23:55.72,0:23:57.88,Default,,0000,0000,0000,,actually pretty flat across most of the
Dialogue: 0,0:23:57.88,0:24:00.12,Default,,0000,0000,0000,,sources so we're not going to have
Dialogue: 0,0:24:00.12,0:24:04.68,Default,,0000,0000,0000,,any outliers or spikes in our stats here,
Dialogue: 0,0:24:04.68,0:24:07.96,Default,,0000,0000,0000,,but you can see the resulting presentation.
Dialogue: 0,0:24:08.96,0:24:11.44,Default,,0000,0000,0000,,In line four, we do have a
Dialogue: 0,0:24:11.44,0:24:14.84,Default,,0000,0000,0000,,sort command, and this is an example of a
Dialogue: 0,0:24:14.84,0:24:17.52,Default,,0000,0000,0000,,dataset processing command where we are
Dialogue: 0,0:24:17.52,0:24:20.40,Default,,0000,0000,0000,,actually evaluating a full completed
Dialogue: 0,0:24:20.40,0:24:23.64,Default,,0000,0000,0000,,dataset and reordering it. Given the
Dialogue: 0,0:24:23.64,0:24:26.00,Default,,0000,0000,0000,,logic here, we want to descend on these
Dialogue: 0,0:24:26.00,0:24:29.00,Default,,0000,0000,0000,,numeric values. So keep mind as you're
Dialogue: 0,0:24:29.00,0:24:31.20,Default,,0000,0000,0000,,operating on different fields, it's going
Dialogue: 0,0:24:31.20,0:24:33.80,Default,,0000,0000,0000,,to be the same sort of either basic
Dialogue: 0,0:24:33.80,0:24:37.16,Default,,0000,0000,0000,,numeric or the lexicographical ordering
Dialogue: 0,0:24:37.16,0:24:40.36,Default,,0000,0000,0000,,that you typically see in Splunk.
Dialogue: 0,0:24:40.84,0:24:45.72,Default,,0000,0000,0000,,So we do have a second example
Dialogue: 0,0:24:45.72,0:24:49.20,Default,,0000,0000,0000,,with the sed style replace.
Dialogue: 0,0:24:54.24,0:24:58.64,Default,,0000,0000,0000,,So you can see in my events here
Dialogue: 0,0:24:58.64,0:25:01.64,Default,,0000,0000,0000,,we are searching the tutorial and
Dialogue: 0,0:25:01.64,0:25:05.04,Default,,0000,0000,0000,,vendor sales index and source type. And
Dialogue: 0,0:25:05.04,0:25:06.72,Default,,0000,0000,0000,,I've gone ahead and applied one
Dialogue: 0,0:25:06.72,0:25:09.40,Default,,0000,0000,0000,,operation, and this is going to be a
Dialogue: 0,0:25:09.40,0:25:11.88,Default,,0000,0000,0000,,helpful operation to understand really
Dialogue: 0,0:25:11.88,0:25:14.68,Default,,0000,0000,0000,,what we are replacing and how to get
Dialogue: 0,0:25:14.68,0:25:18.16,Default,,0000,0000,0000,,consistent operation on these fields.
Dialogue: 0,0:25:18.16,0:25:20.28,Default,,0000,0000,0000,,So in this case, we are actually creating
Dialogue: 0,0:25:20.28,0:25:23.56,Default,,0000,0000,0000,,an ID length field where we are going to
Dialogue: 0,0:25:23.56,0:25:26.96,Default,,0000,0000,0000,,choose to mask the value of account ID
Dialogue: 0,0:25:26.96,0:25:29.12,Default,,0000,0000,0000,,in our rex command. We want to know that
Dialogue: 0,0:25:29.12,0:25:31.68,Default,,0000,0000,0000,,that's a consistent number of characters
Dialogue: 0,0:25:31.68,0:25:33.80,Default,,0000,0000,0000,,through all of our data. It's very
Dialogue: 0,0:25:33.80,0:25:37.08,Default,,0000,0000,0000,,simple to spot check, but just to be
Dialogue: 0,0:25:37.08,0:25:39.44,Default,,0000,0000,0000,,certain, we want to apply this to all of
Dialogue: 0,0:25:39.44,0:25:42.76,Default,,0000,0000,0000,,our data, in this case, streaming command
Dialogue: 0,0:25:42.76,0:25:45.52,Default,,0000,0000,0000,,through this eval. We
Dialogue: 0,0:25:45.52,0:25:49.28,Default,,0000,0000,0000,,are changing the type of the data
Dialogue: 0,0:25:49.28,0:25:51.92,Default,,0000,0000,0000,,because account ID is actually numeric.
Dialogue: 0,0:25:51.92,0:25:53.72,Default,,0000,0000,0000,,We're making that a string value so that
Dialogue: 0,0:25:53.72,0:25:56.72,Default,,0000,0000,0000,,we can look at the length. These are
Dialogue: 0,0:25:56.72,0:25:58.84,Default,,0000,0000,0000,,common functions in any programming
Dialogue: 0,0:25:58.84,0:26:01.56,Default,,0000,0000,0000,,languages, and so the syntax here in
Dialogue: 0,0:26:01.56,0:26:04.04,Default,,0000,0000,0000,,SPL is quite simple. Just to be able
Dialogue: 0,0:26:04.04,0:26:06.52,Default,,0000,0000,0000,,to get that contextual feel, we
Dialogue: 0,0:26:06.52,0:26:09.40,Default,,0000,0000,0000,,understand we have 16 characters for
Dialogue: 0,0:26:09.40,0:26:12.48,Default,,0000,0000,0000,,100% of our events in the account IDs.
Dialogue: 0,0:26:12.48,0:26:17.00,Default,,0000,0000,0000,,So actually applying our rex command,
Dialogue: 0,0:26:17.00,0:26:20.76,Default,,0000,0000,0000,,we are going to now specify a unique
Dialogue: 0,0:26:20.76,0:26:23.92,Default,,0000,0000,0000,,field, not just underscore raw. We are
Dialogue: 0,0:26:23.92,0:26:27.16,Default,,0000,0000,0000,,applying the sed mode, and this is a
Dialogue: 0,0:26:27.16,0:26:30.80,Default,,0000,0000,0000,,sed syntax replacement looking
Dialogue: 0,0:26:30.80,0:26:33.56,Default,,0000,0000,0000,,for the- it's a capture group for the
Dialogue: 0,0:26:33.56,0:26:35.88,Default,,0000,0000,0000,,first 12 digits. And then we're
Dialogue: 0,0:26:35.88,0:26:39.24,Default,,0000,0000,0000,,replacing that with a series of 12 X's.
Dialogue: 0,0:26:39.24,0:26:42.04,Default,,0000,0000,0000,,So you can see in our first event, the
Dialogue: 0,0:26:42.04,0:26:45.32,Default,,0000,0000,0000,,account ID is now masked, we only have
Dialogue: 0,0:26:45.32,0:26:48.52,Default,,0000,0000,0000,,the remaining four digits to be able to
Dialogue: 0,0:26:48.52,0:26:52.32,Default,,0000,0000,0000,,identify that. And so if our data was
Dialogue: 0,0:26:52.32,0:26:55.36,Default,,0000,0000,0000,,indexed and is appropriately done so
Dialogue: 0,0:26:55.36,0:26:58.04,Default,,0000,0000,0000,,in Splunk with the full account IDs, but
Dialogue: 0,0:26:58.04,0:27:00.36,Default,,0000,0000,0000,,for the sake of reporting we want to
Dialogue: 0,0:27:00.36,0:27:04.84,Default,,0000,0000,0000,,be able to mask that for the audience,
Dialogue: 0,0:27:04.84,0:27:07.80,Default,,0000,0000,0000,,then we're able to use the sed
Dialogue: 0,0:27:07.80,0:27:11.92,Default,,0000,0000,0000,,replace. And then to finalize a report,
Dialogue: 0,0:27:11.92,0:27:13.88,Default,,0000,0000,0000,,this is just an example of the top
Dialogue: 0,0:27:13.88,0:27:16.40,Default,,0000,0000,0000,,command which does a few operations
Dialogue: 0,0:27:16.40,0:27:18.12,Default,,0000,0000,0000,,together and makes for a good
Dialogue: 0,0:27:18.12,0:27:20.72,Default,,0000,0000,0000,,shorthand report, taking all the
Dialogue: 0,0:27:20.72,0:27:24.08,Default,,0000,0000,0000,,unique values of the provided field,
Dialogue: 0,0:27:24.08,0:27:26.48,Default,,0000,0000,0000,,giving you a count of those values, and
Dialogue: 0,0:27:26.48,0:27:29.00,Default,,0000,0000,0000,,then showing the percentage
Dialogue: 0,0:27:29.00,0:27:31.68,Default,,0000,0000,0000,,of the makeup for the total dataset
Dialogue: 0,0:27:31.68,0:27:34.52,Default,,0000,0000,0000,,that that unique value accounts for. So
Dialogue: 0,0:27:34.52,0:27:37.40,Default,,0000,0000,0000,,again, pretty flat in this tutorial data
Dialogue: 0,0:27:37.40,0:27:40.20,Default,,0000,0000,0000,,in seeing a very consistent
Dialogue: 0,0:27:40.20,0:27:45.16,Default,,0000,0000,0000,,.03% across these different account IDs.
Dialogue: 0,0:27:46.68,0:27:51.08,Default,,0000,0000,0000,,So we have looked at a few examples
Dialogue: 0,0:27:51.08,0:27:54.64,Default,,0000,0000,0000,,with the rex command, and that is
Dialogue: 0,0:27:54.64,0:27:57.04,Default,,0000,0000,0000,,again, streaming. We're going to look at
Dialogue: 0,0:27:57.04,0:27:59.12,Default,,0000,0000,0000,,another streaming command
Dialogue: 0,0:27:59.12,0:28:02.40,Default,,0000,0000,0000,,which is going to be a set of
Dialogue: 0,0:28:02.40,0:28:07.20,Default,,0000,0000,0000,,multivalue eval functions. And so again,
Dialogue: 0,0:28:07.20,0:28:09.56,Default,,0000,0000,0000,,if you're to have a bookmark for search
Dialogue: 0,0:28:09.56,0:28:12.32,Default,,0000,0000,0000,,documentation, multivalue eval functions
Dialogue: 0,0:28:12.32,0:28:14.56,Default,,0000,0000,0000,,are a great one to have because when
Dialogue: 0,0:28:14.56,0:28:17.24,Default,,0000,0000,0000,,you encounter these, it really takes
Dialogue: 0,0:28:17.24,0:28:19.96,Default,,0000,0000,0000,,some time to figure out how to actually
Dialogue: 0,0:28:19.96,0:28:25.96,Default,,0000,0000,0000,,operate on data. And so the
Dialogue: 0,0:28:25.96,0:28:29.56,Default,,0000,0000,0000,,multivalue functions are really just
Dialogue: 0,0:28:29.56,0:28:31.80,Default,,0000,0000,0000,,a collection that depending on your use
Dialogue: 0,0:28:31.80,0:28:34.68,Default,,0000,0000,0000,,case, you're able to determine the
Dialogue: 0,0:28:34.68,0:28:39.08,Default,,0000,0000,0000,,best to apply. You see it often used
Dialogue: 0,0:28:39.08,0:28:42.84,Default,,0000,0000,0000,,with JSON and XML so data formats
Dialogue: 0,0:28:42.84,0:28:44.88,Default,,0000,0000,0000,,that are actually naturally going to
Dialogue: 0,0:28:44.88,0:28:47.36,Default,,0000,0000,0000,,provide a multivalue field where you
Dialogue: 0,0:28:47.36,0:28:50.48,Default,,0000,0000,0000,,have repeated tags or keys across
Dialogue: 0,0:28:50.48,0:28:54.32,Default,,0000,0000,0000,,unique events as they're extracted.
Dialogue: 0,0:28:54.32,0:28:56.36,Default,,0000,0000,0000,,And you often see a lot of times in
Dialogue: 0,0:28:56.36,0:28:58.48,Default,,0000,0000,0000,,Windows event logs, you actually have
Dialogue: 0,0:28:58.48,0:29:01.36,Default,,0000,0000,0000,,repeated key values where your values
Dialogue: 0,0:29:01.36,0:29:02.96,Default,,0000,0000,0000,,are different and the position in the
Dialogue: 0,0:29:02.96,0:29:05.20,Default,,0000,0000,0000,,event is actually specific to a
Dialogue: 0,0:29:05.20,0:29:08.84,Default,,0000,0000,0000,,condition, so you may have a need
Dialogue: 0,0:29:08.84,0:29:11.44,Default,,0000,0000,0000,,for extraction or interaction with one
Dialogue: 0,0:29:11.44,0:29:14.40,Default,,0000,0000,0000,,of those unique values to actually
Dialogue: 0,0:29:14.40,0:29:18.60,Default,,0000,0000,0000,,get a reasonable outcome from your data.
Dialogue: 0,0:29:18.60,0:29:22.80,Default,,0000,0000,0000,,And so we're going to use
Dialogue: 0,0:29:22.80,0:29:25.96,Default,,0000,0000,0000,,multivalue eval functions when we
Dialogue: 0,0:29:25.96,0:29:28.68,Default,,0000,0000,0000,,have a change we want make to the
Dialogue: 0,0:29:28.68,0:29:31.88,Default,,0000,0000,0000,,presentation of data and we're able
Dialogue: 0,0:29:31.88,0:29:34.88,Default,,0000,0000,0000,,to do so with multivalue fields. This I
Dialogue: 0,0:29:34.88,0:29:36.72,Default,,0000,0000,0000,,would say often occurs when you have
Dialogue: 0,0:29:36.72,0:29:39.96,Default,,0000,0000,0000,,multivalue data and then you want to
Dialogue: 0,0:29:39.96,0:29:43.08,Default,,0000,0000,0000,,be able to change the format of the
Dialogue: 0,0:29:43.08,0:29:45.64,Default,,0000,0000,0000,,multivalue fields there. And then
Dialogue: 0,0:29:45.64,0:29:46.96,Default,,0000,0000,0000,,we're also going to look at a quick
Dialogue: 0,0:29:46.96,0:29:51.28,Default,,0000,0000,0000,,example of actually using multivalue
Dialogue: 0,0:29:51.28,0:29:54.88,Default,,0000,0000,0000,,evaluation as a logical condition.
Dialogue: 0,0:29:54.88,0:30:00.04,Default,,0000,0000,0000,,So the first example.
Dialogue: 0,0:30:03.32,0:30:05.68,Default,,0000,0000,0000,,We're going to start with a
Dialogue: 0,0:30:05.68,0:30:08.72,Default,,0000,0000,0000,,simple table looking at our web access
Dialogue: 0,0:30:08.72,0:30:11.24,Default,,0000,0000,0000,,logs, and so we're just going to pull
Dialogue: 0,0:30:11.24,0:30:14.88,Default,,0000,0000,0000,,in our status and referer domain fields.
Dialogue: 0,0:30:14.88,0:30:18.44,Default,,0000,0000,0000,,And so you can see we've got a
Dialogue: 0,0:30:18.44,0:30:23.00,Default,,0000,0000,0000,,HTTP status code, and we've got the
Dialogue: 0,0:30:23.00,0:30:26.12,Default,,0000,0000,0000,,format of a protocol subdomain
Dialogue: 0,0:30:26.12,0:30:29.52,Default,,0000,0000,0000,,TLD. And our scenario here is that for a
Dialogue: 0,0:30:29.52,0:30:31.56,Default,,0000,0000,0000,,simplicity of reporting, we just want
Dialogue: 0,0:30:31.56,0:30:33.76,Default,,0000,0000,0000,,to work with this referer domain field
Dialogue: 0,0:30:33.76,0:30:38.32,Default,,0000,0000,0000,,and be able to simplify that. So in
Dialogue: 0,0:30:38.32,0:30:41.80,Default,,0000,0000,0000,,actually splitting out the field in this
Dialogue: 0,0:30:41.80,0:30:44.88,Default,,0000,0000,0000,,case, split referer domain, and then
Dialogue: 0,0:30:44.88,0:30:47.72,Default,,0000,0000,0000,,choosing the period character as our
Dialogue: 0,0:30:47.72,0:30:50.40,Default,,0000,0000,0000,,point to split the data. We're creating a
Dialogue: 0,0:30:50.40,0:30:52.92,Default,,0000,0000,0000,,multivalue from what was previously
Dialogue: 0,0:30:52.92,0:30:57.20,Default,,0000,0000,0000,,just a single value field. And using
Dialogue: 0,0:30:57.20,0:31:01.60,Default,,0000,0000,0000,,this, we can actually create a new field
Dialogue: 0,0:31:01.60,0:31:06.08,Default,,0000,0000,0000,,by using the index of a multivalue field,
Dialogue: 0,0:31:06.08,0:31:08.04,Default,,0000,0000,0000,,and in this case, we're looking at
Dialogue: 0,0:31:08.04,0:31:10.74,Default,,0000,0000,0000,,index 012.
Dialogue: 0,0:31:10.74,0:31:13.28,Default,,0000,0000,0000,,The multivalue index function allows
Dialogue: 0,0:31:13.28,0:31:15.80,Default,,0000,0000,0000,,us to target a specific field and then
Dialogue: 0,0:31:15.80,0:31:18.56,Default,,0000,0000,0000,,choose a starting and ending index to
Dialogue: 0,0:31:18.56,0:31:21.32,Default,,0000,0000,0000,,extract given values. There are a number
Dialogue: 0,0:31:21.32,0:31:23.32,Default,,0000,0000,0000,,of ways to do this. In our case here
Dialogue: 0,0:31:23.32,0:31:25.04,Default,,0000,0000,0000,,where we have three entries, it's quite
Dialogue: 0,0:31:25.04,0:31:26.64,Default,,0000,0000,0000,,simple just to give that start and end
Dialogue: 0,0:31:26.64,0:31:28.64,Default,,0000,0000,0000,,of range as the
Dialogue: 0,0:31:28.64,0:31:29.84,Default,,0000,0000,0000,,two entries
Dialogue: 0,0:31:29.84,0:31:35.36,Default,,0000,0000,0000,,apart. So as we are working to recreate
Dialogue: 0,0:31:35.36,0:31:39.20,Default,,0000,0000,0000,,our domain, and so that is just applying
Dialogue: 0,0:31:39.20,0:31:41.72,Default,,0000,0000,0000,,for this new domain field, we have
Dialogue: 0,0:31:41.72,0:31:44.20,Default,,0000,0000,0000,,buttercupgames.com in what was
Dialogue: 0,0:31:44.20,0:31:47.69,Default,,0000,0000,0000,,previously the HTTP www.buttercup
Dialogue: 0,0:31:47.69,0:31:51.44,Default,,0000,0000,0000,,games.com. We can now use those fields
Dialogue: 0,0:31:51.44,0:31:54.72,Default,,0000,0000,0000,,in a transformation function. In this
Dialogue: 0,0:31:54.72,0:31:58.04,Default,,0000,0000,0000,,case, simple stats count by status in
Dialogue: 0,0:31:58.04,0:32:00.20,Default,,0000,0000,0000,,the domain.
Dialogue: 0,0:32:02.60,0:32:06.96,Default,,0000,0000,0000,,So I do want to look at another
Dialogue: 0,0:32:06.96,0:32:10.24,Default,,0000,0000,0000,,example here that is similar, but
Dialogue: 0,0:32:10.24,0:32:13.64,Default,,0000,0000,0000,,we're going to use a multivalue function
Dialogue: 0,0:32:13.64,0:32:16.92,Default,,0000,0000,0000,,to actually test a condition. And so I'm
Dialogue: 0,0:32:16.92,0:32:18.40,Default,,0000,0000,0000,,going to,
Dialogue: 0,0:32:18.40,0:32:21.64,Default,,0000,0000,0000,,in this case, be searching the same
Dialogue: 0,0:32:21.64,0:32:24.24,Default,,0000,0000,0000,,data. We're going to start with a stats
Dialogue: 0,0:32:24.24,0:32:28.64,Default,,0000,0000,0000,,command, and so a stats count as well as
Dialogue: 0,0:32:28.64,0:32:32.04,Default,,0000,0000,0000,,a values of status. And so the values
Dialogue: 0,0:32:32.04,0:32:33.36,Default,,0000,0000,0000,,function is going to provide all the
Dialogue: 0,0:32:33.36,0:32:37.48,Default,,0000,0000,0000,,unique values of a given field based
Dialogue: 0,0:32:37.48,0:32:41.84,Default,,0000,0000,0000,,on the split by. And so that produces
Dialogue: 0,0:32:41.84,0:32:44.96,Default,,0000,0000,0000,,a multivalue field here in the case of
Dialogue: 0,0:32:44.96,0:32:47.28,Default,,0000,0000,0000,,status. We have quite a few events
Dialogue: 0,0:32:47.28,0:32:50.80,Default,,0000,0000,0000,,that have multiple status codes, and as
Dialogue: 0,0:32:50.80,0:32:52.96,Default,,0000,0000,0000,,we're interested in pulling those events
Dialogue: 0,0:32:52.96,0:32:57.48,Default,,0000,0000,0000,,out, we can use an mvcount function to
Dialogue: 0,0:32:57.48,0:33:01.20,Default,,0000,0000,0000,,evaluate and filter our dataset to
Dialogue: 0,0:33:01.20,0:33:04.24,Default,,0000,0000,0000,,those specific events. So a very simple
Dialogue: 0,0:33:04.24,0:33:07.20,Default,,0000,0000,0000,,operation here, you're just looking at what has
Dialogue: 0,0:33:07.20,0:33:10.24,Default,,0000,0000,0000,,the- what has more than a single value
Dialogue: 0,0:33:10.24,0:33:13.40,Default,,0000,0000,0000,,for status, but very useful as you're
Dialogue: 0,0:33:13.40,0:33:15.92,Default,,0000,0000,0000,,applying this in reporting especially in
Dialogue: 0,0:33:15.92,0:33:19.00,Default,,0000,0000,0000,,combination with others and with more
Dialogue: 0,0:33:19.00,0:33:22.64,Default,,0000,0000,0000,,complex conditions.
Dialogue: 0,0:33:22.64,0:33:28.20,Default,,0000,0000,0000,,So that is our set of multivalue
Dialogue: 0,0:33:28.20,0:33:32.52,Default,,0000,0000,0000,,eval functions there as streaming commands.
Dialogue: 0,0:33:34.24,0:33:38.28,Default,,0000,0000,0000,,So for a final section of
Dialogue: 0,0:33:38.28,0:33:42.00,Default,,0000,0000,0000,,the demo, I want to talk about a concept
Dialogue: 0,0:33:42.00,0:33:44.72,Default,,0000,0000,0000,,that is not so much a set of functions,
Dialogue: 0,0:33:44.72,0:33:47.96,Default,,0000,0000,0000,,but really enables more complex
Dialogue: 0,0:33:47.96,0:33:50.16,Default,,0000,0000,0000,,and interesting searching and can allow
Dialogue: 0,0:33:50.16,0:33:52.80,Default,,0000,0000,0000,,us to use a few different types of
Dialogue: 0,0:33:52.80,0:33:57.24,Default,,0000,0000,0000,,commands in our SPL. And so the concept of
Dialogue: 0,0:33:57.24,0:34:00.20,Default,,0000,0000,0000,,subsearching for both filtering and
Dialogue: 0,0:34:00.20,0:34:04.28,Default,,0000,0000,0000,,enrichment is taking secondary search
Dialogue: 0,0:34:04.28,0:34:06.96,Default,,0000,0000,0000,,results, and we're using that to
Dialogue: 0,0:34:06.96,0:34:10.66,Default,,0000,0000,0000,,affect a primary search. So a subsearch
Dialogue: 0,0:34:10.66,0:34:12.20,Default,,0000,0000,0000,,will be executed, the results
Dialogue: 0,0:34:12.20,0:34:15.08,Default,,0000,0000,0000,,returned, and depending on how it's used,
Dialogue: 0,0:34:15.08,0:34:17.76,Default,,0000,0000,0000,,this is going to be processed in the
Dialogue: 0,0:34:17.76,0:34:21.60,Default,,0000,0000,0000,,original search, and that is going to-
Dialogue: 0,0:34:21.60,0:34:24.36,Default,,0000,0000,0000,,We'll look at an example that it is
Dialogue: 0,0:34:24.36,0:34:27.40,Default,,0000,0000,0000,,filtering. So based on the results, we get
Dialogue: 0,0:34:27.40,0:34:31.24,Default,,0000,0000,0000,,a effectively a value equals X or value
Dialogue: 0,0:34:31.24,0:34:34.32,Default,,0000,0000,0000,,equals y for one of our fields that
Dialogue: 0,0:34:34.32,0:34:37.16,Default,,0000,0000,0000,,we're looking at in the subsearch.
Dialogue: 0,0:34:37.16,0:34:39.32,Default,,0000,0000,0000,,And then we're also going to look at an
Dialogue: 0,0:34:39.32,0:34:42.40,Default,,0000,0000,0000,,enrichment example, so you see this often
Dialogue: 0,0:34:42.40,0:34:45.76,Default,,0000,0000,0000,,when you have a dataset maybe saved
Dialogue: 0,0:34:45.76,0:34:48.48,Default,,0000,0000,0000,,in a lookup table or you just have a
Dialogue: 0,0:34:48.48,0:34:50.08,Default,,0000,0000,0000,,simple reference where you want to bring
Dialogue: 0,0:34:50.08,0:34:52.88,Default,,0000,0000,0000,,in more context, maybe descriptions of
Dialogue: 0,0:34:52.88,0:34:54.56,Default,,0000,0000,0000,,event codes, things like
Dialogue: 0,0:34:54.56,0:34:59.64,Default,,0000,0000,0000,,that. So in that case,
Dialogue: 0,0:35:02.16,0:35:05.44,Default,,0000,0000,0000,,we'll look at the first command here. Now,
Dialogue: 0,0:35:05.44,0:35:08.16,Default,,0000,0000,0000,,I'm going to run my search, and we're
Dialogue: 0,0:35:08.16,0:35:12.12,Default,,0000,0000,0000,,going to pivot over to a subsearch
Dialogue: 0,0:35:12.12,0:35:14.74,Default,,0000,0000,0000,,tab here. And so you can see our subsearch
Dialogue: 0,0:35:14.74,0:35:19.72,Default,,0000,0000,0000,,looking at the secure logs.
Dialogue: 0,0:35:19.72,0:35:21.88,Default,,0000,0000,0000,,We are actually just pulling out the
Dialogue: 0,0:35:21.88,0:35:24.36,Default,,0000,0000,0000,,search to see what the results are or
Dialogue: 0,0:35:24.36,0:35:26.08,Default,,0000,0000,0000,,what's going to be returned from that
Dialogue: 0,0:35:26.08,0:35:28.84,Default,,0000,0000,0000,,subsearch. So we're applying the same
Dialogue: 0,0:35:28.84,0:35:31.20,Default,,0000,0000,0000,,rex that we had before to extract our
Dialogue: 0,0:35:31.20,0:35:33.72,Default,,0000,0000,0000,,fields. We're applying a where, a streaming
Dialogue: 0,0:35:33.72,0:35:35.92,Default,,0000,0000,0000,,command looking for anything that's not
Dialogue: 0,0:35:35.92,0:35:38.60,Default,,0000,0000,0000,,null for user. We observed that we had
Dialogue: 0,0:35:38.60,0:35:40.92,Default,,0000,0000,0000,,about 60% of our events that were going
Dialogue: 0,0:35:40.92,0:35:43.36,Default,,0000,0000,0000,,to be null based on not having a user
Dialogue: 0,0:35:43.36,0:35:46.97,Default,,0000,0000,0000,,field, and so looking at that total dataset,
Dialogue: 0,0:35:46.97,0:35:50.28,Default,,0000,0000,0000,,we're just going to count by our
Dialogue: 0,0:35:50.28,0:35:53.84,Default,,0000,0000,0000,,source IP. And this is often a quick way
Dialogue: 0,0:35:53.84,0:35:56.84,Default,,0000,0000,0000,,to really just get a list of unique
Dialogue: 0,0:35:56.84,0:35:59.88,Default,,0000,0000,0000,,values of any given field. And then
Dialogue: 0,0:35:59.88,0:36:03.12,Default,,0000,0000,0000,,operating on that to return just the
Dialogue: 0,0:36:03.12,0:36:05.08,Default,,0000,0000,0000,,the list of values, few different ways to
Dialogue: 0,0:36:05.08,0:36:08.80,Default,,0000,0000,0000,,do that, I see stats count pretty often.
Dialogue: 0,0:36:08.80,0:36:10.60,Default,,0000,0000,0000,,And in this case, we're actually tabling
Dialogue: 0,0:36:10.60,0:36:13.96,Default,,0000,0000,0000,,out just keeping our source IP field and
Dialogue: 0,0:36:13.96,0:36:16.80,Default,,0000,0000,0000,,renaming it to client IP, so the resulting
Dialogue: 0,0:36:16.80,0:36:20.56,Default,,0000,0000,0000,,dataset is a single column table
Dialogue: 0,0:36:20.56,0:36:21.44,Default,,0000,0000,0000,,with
Dialogue: 0,0:36:21.44,0:36:26.32,Default,,0000,0000,0000,,182 results, and the field name is client
Dialogue: 0,0:36:26.32,0:36:29.88,Default,,0000,0000,0000,,IP. So when returned to the original
Dialogue: 0,0:36:29.88,0:36:32.12,Default,,0000,0000,0000,,search, we're running this as a sub
Dialogue: 0,0:36:32.12,0:36:36.32,Default,,0000,0000,0000,,search, the effective result of this is
Dialogue: 0,0:36:36.32,0:36:39.96,Default,,0000,0000,0000,,actually client IP equals my first value
Dialogue: 0,0:36:39.96,0:36:43.80,Default,,0000,0000,0000,,here or client IP equals my second value
Dialogue: 0,0:36:43.80,0:36:46.96,Default,,0000,0000,0000,,and so on through the full dataset. And
Dialogue: 0,0:36:46.96,0:36:49.20,Default,,0000,0000,0000,,so looking at our search here, we're
Dialogue: 0,0:36:49.20,0:36:52.36,Default,,0000,0000,0000,,applying this to the access logs. You can
Dialogue: 0,0:36:52.36,0:36:55.28,Default,,0000,0000,0000,,see that we had a field named source IP
Dialogue: 0,0:36:55.28,0:36:58.52,Default,,0000,0000,0000,,in the secure logs and we renamed to
Dialogue: 0,0:36:58.52,0:37:02.16,Default,,0000,0000,0000,,client IP so that we could apply this to
Dialogue: 0,0:37:02.16,0:37:05.76,Default,,0000,0000,0000,,the access logs where client IP is the
Dialogue: 0,0:37:05.76,0:37:09.48,Default,,0000,0000,0000,,actual field name for the source IP
Dialogue: 0,0:37:09.48,0:37:13.56,Default,,0000,0000,0000,,data. And in this case, we are filtering
Dialogue: 0,0:37:13.56,0:37:16.08,Default,,0000,0000,0000,,to the client IP's relevant in the secure
Dialogue: 0,0:37:16.08,0:37:19.84,Default,,0000,0000,0000,,logs for our web access logs.
Dialogue: 0,0:37:19.84,0:37:23.96,Default,,0000,0000,0000,,So uncommenting here, we have a
Dialogue: 0,0:37:23.96,0:37:26.80,Default,,0000,0000,0000,,series of operations that we're doing,
Dialogue: 0,0:37:26.80,0:37:29.00,Default,,0000,0000,0000,,and I'm just going to run them all at
Dialogue: 0,0:37:29.00,0:37:33.08,Default,,0000,0000,0000,,once and talk through that we are
Dialogue: 0,0:37:33.08,0:37:37.24,Default,,0000,0000,0000,,counting the status or we're counting
Dialogue: 0,0:37:37.24,0:37:40.32,Default,,0000,0000,0000,,the events by status and client IP
Dialogue: 0,0:37:40.32,0:37:42.64,Default,,0000,0000,0000,,for the client IPs that were relevant to
Dialogue: 0,0:37:42.64,0:37:44.88,Default,,0000,0000,0000,,authentication failures in the secure
Dialogue: 0,0:37:44.88,0:37:48.76,Default,,0000,0000,0000,,logs. We are then creating a status count
Dialogue: 0,0:37:48.76,0:37:52.04,Default,,0000,0000,0000,,field just by combining our status
Dialogue: 0,0:37:52.04,0:37:54.68,Default,,0000,0000,0000,,and count fields, adding a colon
Dialogue: 0,0:37:54.68,0:37:58.64,Default,,0000,0000,0000,,between them. And then we are doing a
Dialogue: 0,0:37:58.64,0:38:02.08,Default,,0000,0000,0000,,second stats statement here to
Dialogue: 0,0:38:02.08,0:38:03.96,Default,,0000,0000,0000,,actually combine all of our newly
Dialogue: 0,0:38:03.96,0:38:06.32,Default,,0000,0000,0000,,created fields together in a more
Dialogue: 0,0:38:06.32,0:38:10.56,Default,,0000,0000,0000,,condensed report. So a transforming command,
Dialogue: 0,0:38:10.56,0:38:12.52,Default,,0000,0000,0000,,then streaming for creating our new
Dialogue: 0,0:38:12.52,0:38:15.36,Default,,0000,0000,0000,,field, another transforming command, and
Dialogue: 0,0:38:15.36,0:38:17.88,Default,,0000,0000,0000,,then our sort for dataset processing
Dialogue: 0,0:38:17.88,0:38:20.92,Default,,0000,0000,0000,,actually gives us the results here for a
Dialogue: 0,0:38:20.92,0:38:25.48,Default,,0000,0000,0000,,given client IP. And so we are, in this
Dialogue: 0,0:38:25.48,0:38:28.44,Default,,0000,0000,0000,,case, looking for the scenario that
Dialogue: 0,0:38:28.44,0:38:31.32,Default,,0000,0000,0000,,these client IPs that are involved in
Dialogue: 0,0:38:31.32,0:38:34.24,Default,,0000,0000,0000,,authentication failures to the web
Dialogue: 0,0:38:34.24,0:38:37.32,Default,,0000,0000,0000,,servers. In this case, these were all over
Dialogue: 0,0:38:37.32,0:38:39.68,Default,,0000,0000,0000,,SSH. We want to see if there are
Dialogue: 0,0:38:39.68,0:38:42.76,Default,,0000,0000,0000,,interactions by these same source IPs
Dialogue: 0,0:38:42.76,0:38:46.08,Default,,0000,0000,0000,,actually on the website that we're
Dialogue: 0,0:38:46.08,0:38:50.20,Default,,0000,0000,0000,,hosting. So seeing a high number of
Dialogue: 0,0:38:50.20,0:38:53.40,Default,,0000,0000,0000,,failed values, looking at actions also is
Dialogue: 0,0:38:53.40,0:38:55.60,Default,,0000,0000,0000,,a use case here for just bringing in
Dialogue: 0,0:38:55.60,0:38:57.68,Default,,0000,0000,0000,,that context and seeing if there's any
Dialogue: 0,0:38:57.68,0:39:00.52,Default,,0000,0000,0000,,sort of relationship between the data.
Dialogue: 0,0:39:00.52,0:39:04.00,Default,,0000,0000,0000,,This is discussed often as correlation
Dialogue: 0,0:39:04.00,0:39:07.68,Default,,0000,0000,0000,,of logs. I'm usually careful about using
Dialogue: 0,0:39:07.68,0:39:09.44,Default,,0000,0000,0000,,the term correlation in talking about
Dialogue: 0,0:39:09.44,0:39:11.12,Default,,0000,0000,0000,,Splunk queries especially in Enterprise
Dialogue: 0,0:39:11.12,0:39:12.64,Default,,0000,0000,0000,,security talking about correlation
Dialogue: 0,0:39:12.64,0:39:16.12,Default,,0000,0000,0000,,searches where I typically think of
Dialogue: 0,0:39:16.12,0:39:18.48,Default,,0000,0000,0000,,correlation searches as being
Dialogue: 0,0:39:18.48,0:39:20.60,Default,,0000,0000,0000,,overarching concepts that cover data
Dialogue: 0,0:39:20.60,0:39:23.92,Default,,0000,0000,0000,,from multiple data sources, and in this
Dialogue: 0,0:39:23.92,0:39:26.48,Default,,0000,0000,0000,,case, correlating events would be looking
Dialogue: 0,0:39:26.48,0:39:28.40,Default,,0000,0000,0000,,at unique data types that are
Dialogue: 0,0:39:28.40,0:39:31.24,Default,,0000,0000,0000,,potentially related in finding that
Dialogue: 0,0:39:31.24,0:39:33.84,Default,,0000,0000,0000,,logical connection for the condition.
Dialogue: 0,0:39:33.84,0:39:35.88,Default,,0000,0000,0000,,That's a little bit more up to the user.
Dialogue: 0,0:39:35.88,0:39:38.32,Default,,0000,0000,0000,,It's not quite as easy as say,
Dialogue: 0,0:39:38.32,0:39:41.52,Default,,0000,0000,0000,,pointing to a specific data
Dialogue: 0,0:39:41.52,0:39:44.88,Default,,0000,0000,0000,,model. So we are going to look at one
Dialogue: 0,0:39:44.88,0:39:47.92,Default,,0000,0000,0000,,more subsearch here, and this case is
Dialogue: 0,0:39:47.92,0:39:52.24,Default,,0000,0000,0000,,going to apply the join command. And
Dialogue: 0,0:39:52.24,0:39:55.68,Default,,0000,0000,0000,,so I talk about using lookup files or
Dialogue: 0,0:39:55.68,0:39:59.00,Default,,0000,0000,0000,,other data returned by subsearches
Dialogue: 0,0:39:59.00,0:40:01.60,Default,,0000,0000,0000,,to enrich, to bring more data in
Dialogue: 0,0:40:01.60,0:40:05.60,Default,,0000,0000,0000,,rather than filter. We are going to
Dialogue: 0,0:40:05.60,0:40:08.96,Default,,0000,0000,0000,,look at our first part of the command
Dialogue: 0,0:40:08.96,0:40:11.48,Default,,0000,0000,0000,,here, and this is actually just a
Dialogue: 0,0:40:11.48,0:40:15.72,Default,,0000,0000,0000,,simple stats report based on this rex
Dialogue: 0,0:40:15.72,0:40:18.08,Default,,0000,0000,0000,,that keeps coming through the SPL to
Dialogue: 0,0:40:18.08,0:40:21.00,Default,,0000,0000,0000,,give us those user and source IP fields.
Dialogue: 0,0:40:21.00,0:40:24.08,Default,,0000,0000,0000,,So our result here is authentication
Dialogue: 0,0:40:24.08,0:40:26.20,Default,,0000,0000,0000,,failures for all these web hosts so
Dialogue: 0,0:40:26.20,0:40:28.76,Default,,0000,0000,0000,,similar to what we had previously
Dialogue: 0,0:40:28.76,0:40:31.20,Default,,0000,0000,0000,,returned. And then we're going to take a
Dialogue: 0,0:40:31.20,0:40:33.32,Default,,0000,0000,0000,,look at the results of the subsearch
Dialogue: 0,0:40:33.32,0:40:35.40,Default,,0000,0000,0000,,here. I'm going to actually split this up so that we
Dialogue: 0,0:40:35.40,0:40:38.84,Default,,0000,0000,0000,,can see the first two lines. We're
Dialogue: 0,0:40:38.84,0:40:41.76,Default,,0000,0000,0000,,looking at our web access logs for
Dialogue: 0,0:40:41.76,0:40:45.56,Default,,0000,0000,0000,,purchase actions, and then we are
Dialogue: 0,0:40:45.56,0:40:50.60,Default,,0000,0000,0000,,looking at our stats count for errors
Dialogue: 0,0:40:50.60,0:40:52.96,Default,,0000,0000,0000,,and stats count for successes. We have
Dialogue: 0,0:40:52.96,0:40:55.08,Default,,0000,0000,0000,,pretty limited status code to return in
Dialogue: 0,0:40:55.08,0:40:59.24,Default,,0000,0000,0000,,this data so this is viable for
Dialogue: 0,0:40:59.24,0:41:01.80,Default,,0000,0000,0000,,the data present to observe our
Dialogue: 0,0:41:01.80,0:41:04.42,Default,,0000,0000,0000,,errors and successes.
Dialogue: 0,0:41:04.42,0:41:05.88,Default,,0000,0000,0000,,And then we are actually
Dialogue: 0,0:41:05.88,0:41:08.16,Default,,0000,0000,0000,,creating a new field based on the
Dialogue: 0,0:41:08.16,0:41:10.84,Default,,0000,0000,0000,,statistics that we're generating,
Dialogue: 0,0:41:10.84,0:41:13.92,Default,,0000,0000,0000,,looking at our transaction errors so
Dialogue: 0,0:41:13.92,0:41:18.00,Default,,0000,0000,0000,,where we have high or low numbers
Dialogue: 0,0:41:18.00,0:41:22.08,Default,,0000,0000,0000,,of failed purchase actions, and then
Dialogue: 0,0:41:22.08,0:41:25.60,Default,,0000,0000,0000,,summarizing that. So in the case of our
Dialogue: 0,0:41:25.60,0:41:27.80,Default,,0000,0000,0000,,final command here, another transforming
Dialogue: 0,0:41:27.80,0:41:30.64,Default,,0000,0000,0000,,command of table just to reduce this to
Dialogue: 0,0:41:30.64,0:41:35.08,Default,,0000,0000,0000,,a small dataset to use in the subsearch.
Dialogue: 0,0:41:35.08,0:41:37.44,Default,,0000,0000,0000,,And so in this case, we have our host
Dialogue: 0,0:41:37.44,0:41:39.40,Default,,0000,0000,0000,,value and then our transaction error
Dialogue: 0,0:41:39.40,0:41:41.48,Default,,0000,0000,0000,,rate that we observe from the web access
Dialogue: 0,0:41:41.48,0:41:44.76,Default,,0000,0000,0000,,logs. And then over in our other search
Dialogue: 0,0:41:44.76,0:41:48.64,Default,,0000,0000,0000,,here, we are going to perform a left
Dialogue: 0,0:41:48.64,0:41:51.40,Default,,0000,0000,0000,,join based on this host field. So you see
Dialogue: 0,0:41:51.40,0:41:53.36,Default,,0000,0000,0000,,in our secure logs, we still have the
Dialogue: 0,0:41:53.36,0:41:55.80,Default,,0000,0000,0000,,same host value, and this is going to be
Dialogue: 0,0:41:55.80,0:41:59.64,Default,,0000,0000,0000,,used to actually add our
Dialogue: 0,0:41:59.64,0:42:02.76,Default,,0000,0000,0000,,transaction error rates in for each
Dialogue: 0,0:42:02.76,0:42:06.40,Default,,0000,0000,0000,,host. So as we observe increased
Dialogue: 0,0:42:06.40,0:42:08.64,Default,,0000,0000,0000,,authentication failures, if there's a
Dialogue: 0,0:42:08.64,0:42:11.96,Default,,0000,0000,0000,,scenario for a breach and some sort of
Dialogue: 0,0:42:11.96,0:42:14.96,Default,,0000,0000,0000,,interruption to the ability to serve out
Dialogue: 0,0:42:14.96,0:42:17.52,Default,,0000,0000,0000,,or perform these purchase actions that
Dialogue: 0,0:42:17.52,0:42:20.96,Default,,0000,0000,0000,,are affecting the intended
Dialogue: 0,0:42:20.96,0:42:23.20,Default,,0000,0000,0000,,operations of the web servers, we can
Dialogue: 0,0:42:23.20,0:42:25.28,Default,,0000,0000,0000,,see that here. Of course in our tutorial
Dialogue: 0,0:42:25.28,0:42:27.32,Default,,0000,0000,0000,,data, there's not really much that
Dialogue: 0,0:42:27.32,0:42:29.88,Default,,0000,0000,0000,,jumping out or showing that there is
Dialogue: 0,0:42:29.88,0:42:32.60,Default,,0000,0000,0000,,any correlation between the two, but the
Dialogue: 0,0:42:32.60,0:42:34.64,Default,,0000,0000,0000,,purpose of the join is to bring in that
Dialogue: 0,0:42:34.64,0:42:37.44,Default,,0000,0000,0000,,extra dataset to give the context to
Dialogue: 0,0:42:37.44,0:42:39.84,Default,,0000,0000,0000,,further investigate.
Dialogue: 0,0:42:41.04,0:42:47.44,Default,,0000,0000,0000,,So that is the final
Dialogue: 0,0:42:47.44,0:42:52.36,Default,,0000,0000,0000,,portion of the SPL demo. And I do want
Dialogue: 0,0:42:52.36,0:42:54.92,Default,,0000,0000,0000,,to say for any questions, I'm going to
Dialogue: 0,0:42:54.92,0:42:56.96,Default,,0000,0000,0000,,take a look at the chat, I'll do my best
Dialogue: 0,0:42:56.96,0:43:00.08,Default,,0000,0000,0000,,to answer any questions, and then if
Dialogue: 0,0:43:00.08,0:43:03.08,Default,,0000,0000,0000,,you have any other questions, please
Dialogue: 0,0:43:03.08,0:43:05.80,Default,,0000,0000,0000,,feel free to reach out to my team at
Dialogue: 0,0:43:05.80,0:43:08.60,Default,,0000,0000,0000,,support@kennygroup.com, and we'll be
Dialogue: 0,0:43:08.60,0:43:11.92,Default,,0000,0000,0000,,happy to get back to you and help. I
Dialogue: 0,0:43:11.92,0:43:15.44,Default,,0000,0000,0000,,am taking a look through.
Dialogue: 0,0:43:32.20,0:43:33.76,Default,,0000,0000,0000,,Okay, seeing some questions on
Dialogue: 0,0:43:33.76,0:43:38.28,Default,,0000,0000,0000,,performance of the rex, sed, regex
Dialogue: 0,0:43:38.28,0:43:41.60,Default,,0000,0000,0000,,commands. So off the top of my head,
Dialogue: 0,0:43:41.60,0:43:43.80,Default,,0000,0000,0000,,I'm not sure about a direct performance
Dialogue: 0,0:43:43.80,0:43:46.40,Default,,0000,0000,0000,,comparison of the individual commands.
Dialogue: 0,0:43:46.40,0:43:49.20,Default,,0000,0000,0000,,Definitely want to look into that, and
Dialogue: 0,0:43:49.20,0:43:52.28,Default,,0000,0000,0000,,definitely follow up if you'd like to
Dialogue: 0,0:43:52.28,0:43:54.28,Default,,0000,0000,0000,,explain a more detailed scenario or
Dialogue: 0,0:43:54.28,0:43:57.12,Default,,0000,0000,0000,,look at some SPL that we can apply and
Dialogue: 0,0:43:57.12,0:43:59.70,Default,,0000,0000,0000,,observe those changes.
Dialogue: 0,0:43:59.70,0:44:01.68,Default,,0000,0000,0000,,The question on getting the
Dialogue: 0,0:44:01.68,0:44:05.48,Default,,0000,0000,0000,,dataset, that is what I mentioned at
Dialogue: 0,0:44:05.48,0:44:07.52,Default,,0000,0000,0000,,the beginning. Reach out to us for the
Dialogue: 0,0:44:07.52,0:44:10.12,Default,,0000,0000,0000,,slides or just reach out about the
Dialogue: 0,0:44:10.12,0:44:15.48,Default,,0000,0000,0000,,link. And the Splunk tutorial data, you
Dialogue: 0,0:44:15.48,0:44:17.88,Default,,0000,0000,0000,,can actually search that as well. And
Dialogue: 0,0:44:17.88,0:44:20.40,Default,,0000,0000,0000,,there's documentation on how to use the
Dialogue: 0,0:44:20.40,0:44:22.40,Default,,0000,0000,0000,,tutorial data, one of the first links
Dialogue: 0,0:44:22.40,0:44:25.64,Default,,0000,0000,0000,,there, takes you to a page that has-
Dialogue: 0,0:44:25.64,0:44:29.08,Default,,0000,0000,0000,,it is a tutorial data zip file, and
Dialogue: 0,0:44:29.08,0:44:31.08,Default,,0000,0000,0000,,instructions on how to [inaudible] that, it's
Dialogue: 0,0:44:31.08,0:44:34.08,Default,,0000,0000,0000,,just an upload for your specific
Dialogue: 0,0:44:34.08,0:44:37.60,Default,,0000,0000,0000,,environment. So in add data and then
Dialogue: 0,0:44:37.60,0:44:40.04,Default,,0000,0000,0000,,upload data, two clicks, and upload
Dialogue: 0,0:44:40.04,0:44:43.40,Default,,0000,0000,0000,,your file. So that is freely available
Dialogue: 0,0:44:43.40,0:44:45.76,Default,,0000,0000,0000,,for anyone, and again, that package is
Dialogue: 0,0:44:45.76,0:44:47.44,Default,,0000,0000,0000,,dynamically updated as well so your time
Dialogue: 0,0:44:47.44,0:44:51.36,Default,,0000,0000,0000,,stamps are pretty close to normal
Dialogue: 0,0:44:51.36,0:44:53.44,Default,,0000,0000,0000,,as you download the app, kind of depends
Dialogue: 0,0:44:53.44,0:44:55.92,Default,,0000,0000,0000,,on the time of the cycle for the
Dialogue: 0,0:44:55.92,0:44:58.56,Default,,0000,0000,0000,,update, but search overall time, you
Dialogue: 0,0:44:58.56,0:45:02.36,Default,,0000,0000,0000,,won't have any issues there. And then
Dialogue: 0,0:45:02.36,0:45:05.12,Default,,0000,0000,0000,,yeah, again on receiving slides, reach
Dialogue: 0,0:45:05.12,0:45:08.24,Default,,0000,0000,0000,,out to my team, and we're happy to
Dialogue: 0,0:45:08.24,0:45:10.24,Default,,0000,0000,0000,,provide those, discuss further, and we'll
Dialogue: 0,0:45:10.24,0:45:16.04,Default,,0000,0000,0000,,have the recording available
Dialogue: 0,0:45:16.04,0:45:18.40,Default,,0000,0000,0000,,for this session. You should be able to,
Dialogue: 0,0:45:18.40,0:45:20.68,Default,,0000,0000,0000,,after the recording processes when
Dialogue: 0,0:45:20.68,0:45:22.88,Default,,0000,0000,0000,,the session ends, actually use the
Dialogue: 0,0:45:22.88,0:45:24.64,Default,,0000,0000,0000,,same link, and you can watch this
Dialogue: 0,0:45:24.64,0:45:26.48,Default,,0000,0000,0000,,recording and post without having to
Dialogue: 0,0:45:26.48,0:45:31.80,Default,,0000,0000,0000,,sign up or transfer that file so-
Dialogue: 0,0:45:33.68,0:45:38.32,Default,,0000,0000,0000,,So okay, Chris, seeing your
Dialogue: 0,0:45:38.32,0:45:41.24,Default,,0000,0000,0000,,comment there, let me know if you want
Dialogue: 0,0:45:41.24,0:45:44.48,Default,,0000,0000,0000,,to reach out to me directly, anyone as
Dialogue: 0,0:45:44.48,0:45:49.44,Default,,0000,0000,0000,,well. We can discuss what slides and
Dialogue: 0,0:45:49.44,0:45:51.64,Default,,0000,0000,0000,,presentation you had attended, I'm not
Dialogue: 0,0:45:51.64,0:45:55.36,Default,,0000,0000,0000,,sure I have the attendance report
Dialogue: 0,0:45:55.36,0:45:57.32,Default,,0000,0000,0000,,for what you've seen previously, so
Dialogue: 0,0:45:57.32,0:46:00.24,Default,,0000,0000,0000,,happy to get those for you.
Dialogue: 0,0:46:06.72,0:46:10.32,Default,,0000,0000,0000,,All right and seeing- thanks Brett.
Dialogue: 0,0:46:10.32,0:46:13.08,Default,,0000,0000,0000,,So you see Brett Woodruff in the chat
Dialogue: 0,0:46:13.08,0:46:16.68,Default,,0000,0000,0000,,commenting, systems engineer on the
Dialogue: 0,0:46:16.68,0:46:18.64,Default,,0000,0000,0000,,expertise on demand team so very
Dialogue: 0,0:46:18.64,0:46:20.40,Default,,0000,0000,0000,,knowledgeable guy, and he's going to be
Dialogue: 0,0:46:20.40,0:46:23.72,Default,,0000,0000,0000,,presenting next month's session. That
Dialogue: 0,0:46:23.72,0:46:25.40,Default,,0000,0000,0000,,is going to take this concept that we
Dialogue: 0,0:46:25.40,0:46:28.76,Default,,0000,0000,0000,,talked about in the subsearching as a just
Dialogue: 0,0:46:28.76,0:46:30.76,Default,,0000,0000,0000,,general search topic, he's going to go
Dialogue: 0,0:46:30.76,0:46:34.32,Default,,0000,0000,0000,,specifically into data enrichment using
Dialogue: 0,0:46:34.32,0:46:38.08,Default,,0000,0000,0000,,joins, lookup commands, and how we see
Dialogue: 0,0:46:38.08,0:46:41.08,Default,,0000,0000,0000,,that used in the wild. So definitely
Dialogue: 0,0:46:41.08,0:46:43.36,Default,,0000,0000,0000,,excited for that one, encourage you to
Dialogue: 0,0:46:43.36,0:46:46.48,Default,,0000,0000,0000,,register for that event.
Dialogue: 0,0:46:46.92,0:46:52.24,Default,,0000,0000,0000,,All right, I'm not seeing any more questions.
Dialogue: 0,0:46:57.80,0:47:02.12,Default,,0000,0000,0000,,All right, with that I am stopping my
Dialogue: 0,0:47:02.12,0:47:05.08,Default,,0000,0000,0000,,share. I'm going to hang around for a few
Dialogue: 0,0:47:05.08,0:47:07.44,Default,,0000,0000,0000,,minutes, but thank you all for
Dialogue: 0,0:47:07.44,0:47:11.08,Default,,0000,0000,0000,,attending. and we'll see you on the next session.